Breach Stems from Lost FedEx ShipmentCDs Had Information on 130,000
The incident at Lincoln Medical and Mental Health Center in the Bronx was added this week to the list of major breaches complied by the Department of Health and Human Services' Office for Civil Rights. That list, which tracks breaches affecting more than 500 individuals dating back to last September, now stands at 103.
Also added to the list this week was a breach at a WellPoint Inc. web site that is reported to have affected 480,000 individuals, not 470,000 as the insurance company estimated June 24.
The notice on the OCR list says the WellPoint incident originated last November. But a company executive said that the insurer did not become aware of the breach until March 8, when it was notified of a class action lawsuit over the accessibility of patient information on the site.
Shipment LostThe New York hospital reports that sometime between March 16 and 24, a weekly shipment of seven duplicate CDs created by Siemens Medical Solutions USA Inc. was lost in transport. Siemens performs billing and claims processing for the hospital.
The missing CDs contained patient information that included name, address, Social Security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnosis information, and, in certain cases, driver's license number.
The hospital says there is no evidence that the information has been improperly used and notes the CDs were password protected. However, it sent letters to patients advising them to monitor their credit reports.
Lincoln has directed Siemens to stop sending CDs via FedEx, and says "policies have been put in place to ensure that a similar incident does not occur."
Under the HITECH Act breach notification rule, breaches affecting more than 500 must be reported to OCR, the media and the individuals affected within 60 days.