The confidential personal health data of about 1.7 million New York City patients, staff members and others affiliated with four Bronx hospitals were stolen in December, according to the city's Health and Hospitals Corp.
Thieves robbed a van containing
health records for more than 1.7 million patients, staff, vendors and
contractors of the North Bronx Healthcare Network in New York City.
The computer backup tapes
were stolen Dec. 23, but the New York City Health and Hospitals Corporation
began notifying victims Feb. 9, according to a statement issued Feb. 11 by the
14-hospital system. While it took HHC nearly two months before reporting the
data breach, it was well within the 60-day period required by New York state
law. It took HHC this long to sort through the files to assess what kind of
information the tapes had contained and to whom it belonged, before reporting
the data breach, according the hospital group.
"Letters in 17 languages
have begun to be mailed to patients and affected individuals this week advising
them of the theft and informing them of protective services that have been made
available," Alan D. Aviles, the president of the HHC, said in the statement.
The data breach affects patients
who have visited the Jacobi Medical Center, North Central Bronx Hospital,
Tremont Health Center and Gunhill Health Center from 1991 to Dec. 2010. The
stolen flies also contained medical information for staff, vendors and
contractors who work for the hospitals and had either access to the QuadraMed
computer medical record system, or had been examined and screened by the
hospitals' Occupational Health Service, HHC said.
The tapes contained the full
names, addresses, Social Security numbers, medical record numbers, health
insurance information, diagnosis and treatment data, telephone numbers, birth
dates, admission and discharge dates, and mothers' maiden names, according to HHC's FAQ site
Staff, vendors and contractors may have other personal information, such as
professional license numbers.
However, "there is no
evidence to indicate that the information has been accessed and misued," HHC's
The data wasn't in plain text,
so it appears the data is somewhat hard to access. "The data in stolen files is
not readily accessible without highly specialized technical expertise and data-mining
tools," HHC said. However, the data was not encrypted. HHC said it will
"expedite plans" to encrypt all future backup tapes.
Data breaches cost the
health care industry $6 billion annually, according to a study by the Ponemon
Reasons for data breaches include poor management of data
access, lack of encryption, loss or theft of devices, and failure to shred documents,
Ponemon wrote. In a survey of health care facilities, 69 percent of those
polled had insufficient policies and procedures to thwart a data breach and
detect the loss of patient data.
HHC took "decisive steps to
protect the individuals who are potentially affected," the corporation said. It
will provide credit-monitoring and anti-fraud services via Debix to anyone
concerned about identity
. HHC has also notified the relevant authorities, including the
attorney general, the New York State Office of Cyber Security and consumer
reporting agencies. Customer care centers opened at the hospital to help answer
questions on Feb. 14. The victims have 120 days to register by calling
The driver for the
contracted firm hired to transport the tapes to a "secure storage location" had
left the van unlocked in Manhattan while making another pickup, HHC said on its
FAQ site. While the theft was reported immediately to the police and the driver
has been fired for negligence, the hospital system has terminated its contract.
HHC also filed a lawsuit Feb. 10 against GRM Information Services for the costs
of operating a special customer hotline to deal with the breach and all other
According to the Ponemon
, data breaches cost $204 per compromised record. With nearly 1.7
million records compromised, this data breach would cost HHC in the range of
Officials with GRM didn't
respond to calls for comment.