NYC Hospital Data Theft Affects 1.7 Million Patients

The confidential personal health data of about 1.7 million New York City patients, staff members and others affiliated with four Bronx hospitals were stolen in December, according to the city's Health and Hospitals Corp.

Thieves robbed a van containing health records for more than 1.7 million patients, staff, vendors and contractors of the North Bronx Healthcare Network in New York City.

The computer backup tapes were stolen Dec. 23, but the New York City Health and Hospitals Corporation began notifying victims Feb. 9, according to a statement issued Feb. 11 by the 14-hospital system. While it took HHC nearly two months before reporting the data breach, it was well within the 60-day period required by New York state law. It took HHC this long to sort through the files to assess what kind of information the tapes had contained and to whom it belonged, before reporting the data breach, according the hospital group.

"Letters in 17 languages have begun to be mailed to patients and affected individuals this week advising them of the theft and informing them of protective services that have been made available," Alan D. Aviles, the president of the HHC, said in the statement.

The data breach affects patients who have visited the Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center and Gunhill Health Center from 1991 to Dec. 2010. The stolen flies also contained medical information for staff, vendors and contractors who work for the hospitals and had either access to the QuadraMed computer medical record system, or had been examined and screened by the hospitals' Occupational Health Service, HHC said.

The tapes contained the full names, addresses, Social Security numbers, medical record numbers, health insurance information, diagnosis and treatment data, telephone numbers, birth dates, admission and discharge dates, and mothers' maiden names, according to HHC's FAQ site. Staff, vendors and contractors may have other personal information, such as professional license numbers.

However, "there is no evidence to indicate that the information has been accessed and misued," HHC's Aviles said.

The data wasn't in plain text, so it appears the data is somewhat hard to access. "The data in stolen files is not readily accessible without highly specialized technical expertise and data-mining tools," HHC said. However, the data was not encrypted. HHC said it will "expedite plans" to encrypt all future backup tapes.

Data breaches cost the health care industry $6 billion annually, according to a study by the Ponemon Institute. Reasons for data breaches include poor management of data access, lack of encryption, loss or theft of devices, and failure to shred documents, Ponemon wrote. In a survey of health care facilities, 69 percent of those polled had insufficient policies and procedures to thwart a data breach and detect the loss of patient data.

HHC took "decisive steps to protect the individuals who are potentially affected," the corporation said. It will provide credit-monitoring and anti-fraud services via Debix to anyone concerned about identity theft. HHC has also notified the relevant authorities, including the attorney general, the New York State Office of Cyber Security and consumer reporting agencies. Customer care centers opened at the hospital to help answer questions on Feb. 14. The victims have 120 days to register by calling 1-877-412-7148.

The driver for the contracted firm hired to transport the tapes to a "secure storage location" had left the van unlocked in Manhattan while making another pickup, HHC said on its FAQ site. While the theft was reported immediately to the police and the driver has been fired for negligence, the hospital system has terminated its contract. HHC also filed a lawsuit Feb. 10 against GRM Information Services for the costs of operating a special customer hotline to deal with the breach and all other remediation measures.

According to the Ponemon Institute, data breaches cost $204 per compromised record. With nearly 1.7 million records compromised, this data breach would cost HHC in the range of $347 million.

Officials with GRM didn't respond to calls for comment.