NY Hospital Data Breach Affects Thousands
A letter dated June 4 from Lincoln Medical and Mental Health in Bronx, NY notifies 130,945 patients that the security of their protected health information (PHI) has been compromised. Seven CDs created by Siemens Medical Solutions USA, Inc., a company that performs billing and claims processing for Lincoln, were lost while in transit to the hospital “sometime between March 16 and 24.”
“Unfortunately,” the hospital writes in the letter, “the missing CDs contain some of your protected health information, including your name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly your driver’s license number if provided.”
According to the letter, both FedEx (the carrier responsible for the lost CDs) and Siemens conducted an investigation to no avail. The New York City Health and Hospitals Corporation (HHC), which operates Lincoln, was subsequently notified in an April 2 letter.
Although “Lincoln has no knowledge that the protected health information has been improperly accessed by any person,” the hospital says in a notice posted on its website, HHC has suspended further transport of CDs by carrier between Siemens and Lincoln.
Because the PHI on the CDs was not encrypted, Lincoln was required by law to post the data breach on the Health and Human Services (HHS) website.