Emory Healthcare says 10 backup disks containing data on 315,000 patients are missing from a hospital storage facility. The 10 disks held data on surgical patients treated between September 1990 and April 2007.
announced the data breach on April 18. The health system didn't immediately
respond to eWEEK's request for
10 disks held data on surgical patients treated between September 1990 and
April 2007, the health system reported. The disks are missing from a storage
location at Emory University Hospital.
locations where affected patients were treated include Emory University Hospital
Midtown and the Emory Clinic Ambulatory Surgery Center.
the 315,000 patient files on the disks, 228,000 included Social Security
numbers. Other information at risk included patient names, dates of surgery,
diagnoses and procedure codes. Names of surgeons and anesthesiologists that the
patients had seen were also included in the records.
disks contained old data from software Emory deactivated in 2007. The
hospital's IT systems were not hacked into, the health system stressed.
sincerely regret this incident and want to assure our patients that we are
committed to safeguarding their personal information," John T. Fox,
president and CEO of Emory Healthcare, said in a statement. "While we have
no evidence at this time that any personal information has been misused as a
result of this incident, we want to take all precautions to ensure our
patients' information is safe."
own data may have been included on the disks, since he had surgery at the
hospital during the period the data covers, the Atlanta
stored the unencrypted disks in an unlocked cabinet, although the office was
locked at night, Fox said at an April 18 press conference, according to the Journal-Constitution.
the disks contained data for outdated software no longer in use, those
companies that do use outdated systems or firewalls are more at risk of a data
breach, experts say.
disks disappeared between Feb. 7 and Feb. 20, according to Emory, and the
health system informed patients beginning April 17.
have taken immediate steps to fortify the protective measures that are already
in place," Emory wrote in its letter to patients. "New and enhanced
data control measures have been implemented accordingly."
didn't specify which data control measures have been implemented, however.
hospital system has set up a Website and a hotline
(855-205-6950) for patients to inquire about the breach. It will also provide
patients with identity protection through IT security provider Kroll.
11 report, Kroll and HIMSS Analytics suggested that health care
organizations need to step up in forming policies regarding patient data
security. Methods to tighten security include stricter hiring practices, more
background checks and minimizing data access, said Lisa Gallagher, senior
director of privacy and security for HIMSS.
data breach occurred at the Utah Department of Technology Services when a
hacker from Eastern Europe broke into a server holding Social Security numbers
for Medicaid claims. A weak password was to blame for the incident.
Brian T. Horowitz is a freelance technology and health writer as well as a copy editor. Brian has worked on the tech beat since 1996 and covered health care IT and rugged mobile computing for eWEEK since 2010. He has contributed to more than 20 publications, including Computer Shopper, Fast Company, FOXNews.com, More, NYSE Magazine, Parents, ScientificAmerican.com, USA Weekend and Womansday.com, as well as other consumer and trade publications. Brian holds a B.A. from Hofstra University in New York.