I’ve occasionally blogged about the risks of breaches following major storms or weather events. Today I’ve learned that at least one New York hospital suffered a breach after Hurricane Sandy.
Due to the storm surge, Coney Island Hospital’s Ida G. Israel Community Health Center in Brooklyn experienced structural damage. The New York City Health & Hospitals Corporation, which operates city hospitals, terminated CIH’s lease with its landlord while patient care and services were moved to another location. On December 3, however, the landlord, without the knowledge or consent of CIH, prematurely allowed others onto the premises to remove property, including CIH’s computers, records, and files. HHC/CIH employees discovered the breach that day.
Despite the hospital’s best efforts to locate and secure the removed computers and records, they were unable to recover them. The records contained patients’ names, addresses, dates of birth, medical record numbers, patient numbers, and if the patient had provided it, their Social Security numbers, driver’s license number, and/or credit or debit card number. Although the missing computers were likely severely damaged and/or unreadable due to submersion in salt water, the hospital appropriately erred on the side of caution and notified everyone.
On January 31 , CIH via Health & Hospitals Corporation notified the NYS Division of Consumer Protection of the incident. Their report, obtained by a freedom of information request, indicated that 9,887 patients were notified of the breach, of whom 9,870 were NYS residents.
This breach, too, does not (yet) appear on HHS’s public-facing breach tool.
I was, however, able to locate a the notice that Health & Hospitals Corporation had posted on HHC’s web site. I cannot find it on CIH’s web site at this time:
January 31, 2013
Notification of Lost Data The New York City Health and Hospitals Corporation (HHC) this week began to notify almost 10,000 patients who received services at the Ida G. Israel Community Health Center in Brooklyn about the possible disclosure of some of their personal or protected health information (PHI) when eight computers and numerous documents were lost in the aftermath of Hurricane Sandy.There is no evidence to indicate that the personal health information in the missing documents and on the computers has, in fact, been improperly accessed by any person or entity. In fact, most of the computers and documents recovered from the health center after the hurricane were severely damaged after being submerged in salt water. Nonetheless, because it is possible that the computers and documents may contain personal health information that is accessible, federal and State law require HHC to give notice of this incident to potentially affected patients. The center is located on leased property and the landlord prematurely authorized the removal of the debris from the health center, which is located at 2201 Neptune Ave., Brooklyn. HHC learned of the debris removal on Dec. 3, 2012 and took immediate steps to investigate the incident, secure the premises of the health center, and recover the discarded property to prevent any further disclosure of information.
HHC is taking all the necessary precautions to protect patients and inform the state and federal oversight, regulatory, and consumer protection agencies. HHC has set up a toll-free hotline, 1-888-91-HIPAA (1-888-914-4722), where patients and other affected individuals can obtain information about steps they may take to protect themselves from possible harm arising from the loss of the PHI. Notification of affected patients began yesterday.
Personal health information can include names, treatment information, medical diagnoses and histories, addresses, medical record numbers, patient numbers, health plan information, dates of birth, and possibly driver’s license numbers, social security numbers, and credit card numbers if provided by the affected patients to us.
Patients who have received care after 2009 at the Health Center may call 311 or the toll-free service line at 1-888-91-HIPAA (1-888-914-4722) if they have questions.
Notification letters to the groups affected are available here. The letters describe the steps affected individuals may take to protect themselves from the possible adverse actions of this incident, including, among other things, ordering a free credit report and placing a credit alert on their consumer credit files. The letters also state that HHC is taking appropriate steps to ensure that a similar breach of information does not recur.
Securing patient records after a major disaster like Hurricane Sandy or the tornado that hit Moore, Oklahoma may be a near-impossible challenge where paper records and files are involved. Even if no one comes onto the premises, papers with PHI may blow away or float away, and BYOD devices with unencrypted PHI may be left behind or lost. But when it comes to the hospital’s computers and laptops, encryption would provide an important measure of security. HHC’s letter to NYS notes that data may have been accessible. They do not explain why the computers and devices weren’t encrypted. Hopefully, HHS will inquire about that. As overwhelming as Hurricane Sandy was, proactively encrypting files with patient records would have made this incident much less of an issue.