Emory Healthcare in Atlanta says that it has misplaced 10 backup disks containing information for 315,000 patients.
The health system provides clinical care as part of the Robert W. Woodruff Health Sciences Center of Emory University.
Emory announced the data breach on April 18. The health system didn't immediately respond to eWEEK's request for comment.
The 10 disks held data on surgical patients treated between September 1990 and April 2007, the health system reported. The disks are missing from a storage location at Emory University Hospital.
The locations where affected patients were treated include Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center.
Of the 315,000 patient files on the disks, 228,000 included Social Security numbers. Other information at risk included patient names, dates of surgery, diagnoses and procedure codes. Names of surgeons and anesthesiologists that the patients had seen were also included in the records.
The disks contained old data from software Emory deactivated in 2007. The hospital's IT systems were not hacked into, the health system stressed.
"We sincerely regret this incident and want to assure our patients that we are committed to safeguarding their personal information," John T. Fox, president and CEO of Emory Healthcare, said in a statement. "While we have no evidence at this time that any personal information has been misused as a result of this incident, we want to take all precautions to ensure our patients' information is safe."
Fox's own data may have been included on the disks, since he had surgery at the hospital during the period the data covers, the Atlanta Journal-Constitution reported.
Emory stored the unencrypted disks in an unlocked cabinet, although the office was locked at night, Fox said at an April 18 press conference, according to the Journal-Constitution.
Although the disks contained data for outdated software no longer in use, those companies that do use outdated systems or firewalls are more at risk of a data breach, experts say.
The disks disappeared between Feb. 7 and Feb. 20, according to Emory, and the health system informed patients beginning April 17.
"We have taken immediate steps to fortify the protective measures that are already in place," Emory wrote in its letter to patients. "New and enhanced data control measures have been implemented accordingly."
Emory didn't specify which data control measures have been implemented, however.
The hospital system has set up a Website and a hotline (855-205-6950) for patients to inquire about the breach. It will also provide patients with identity protection through IT security provider Kroll.
In an April 11 report, Kroll and HIMSS Analytics suggested that health care organizations need to step up in forming policies regarding patient data security. Methods to tighten security include stricter hiring practices, more background checks and minimizing data access, said Lisa Gallagher, senior director of privacy and security for HIMSS.
Another recent data breach occurred at the Utah Department of Technology Services when a hacker from Eastern Europe broke into a server holding Social Security numbers for Medicaid claims. A weak password was to blame for the incident.