Incident & Breach Response , Security Operations

Breach Stems from Lost FedEx Shipment

CDs Had Information on 130,000
Breach Stems from Lost FedEx Shipment
A New York hospital is reporting a breach affecting more than 130,000 patients stemming from unencrypted compact disks lost in a FedEx shipment.

The incident at Lincoln Medical and Mental Health Center in the Bronx was added this week to the list of major breaches complied by the Department of Health and Human Services' Office for Civil Rights. That list, which tracks breaches affecting more than 500 individuals dating back to last September, now stands at 103.

Also added to the list this week was a breach at a WellPoint Inc. web site that is reported to have affected 480,000 individuals, not 470,000 as the insurance company estimated June 24.

The notice on the OCR list says the WellPoint incident originated last November. But a company executive said that the insurer did not become aware of the breach until March 8, when it was notified of a class action lawsuit over the accessibility of patient information on the site.

Shipment Lost

The New York hospital reports that sometime between March 16 and 24, a weekly shipment of seven duplicate CDs created by Siemens Medical Solutions USA Inc. was lost in transport. Siemens performs billing and claims processing for the hospital.

The missing CDs contained patient information that included name, address, Social Security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnosis information, and, in certain cases, driver's license number.

The hospital says there is no evidence that the information has been improperly used and notes the CDs were password protected. However, it sent letters to patients advising them to monitor their credit reports.

Lincoln has directed Siemens to stop sending CDs via FedEx, and says "policies have been put in place to ensure that a similar incident does not occur."

Under the HITECH Act breach notification rule, breaches affecting more than 500 must be reported to OCR, the media and the individuals affected within 60 days.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.