Emory Notifies 315k of Missing Disks228,000 Social Security Numbers on Backup Media
Emory Healthcare in Atlanta is offering 315,000 surgical patients one year's worth of free credit monitoring services after discovering that 10 backup disks containing patient information are missing.
The information on the unencrypted disks, missing from a storage area at Emory University Hospital, includes Social Security numbers for 228,000 patients. Other information on the disks includes patient names; dates of surgery; diagnoses; procedure codes or names of surgical procedures; device implant information; and surgeon and anesthesiologist names.
Patients affected were treated at Emory University Hospital, Emory University Hospital Midtown or the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007.
Disks Removed in February
An investigation determined the disks were "removed" between Feb. 7 and Feb. 20, according to an Emory Healthcare statement. "They contained data files from an obsolete software system that was deactivated in 2007," the statement notes. "This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. They last time they were accessed was in 2010."
Emory Healthcare has launched an initiative to "reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information," the statement notes. "Emory is conducting a comprehensive inventory of all physical spaces across the system to ensure data are properly secured."
So far, Emory has no evidence that any personal information has been misused as a result of the incident, and an investigation of the potential data breach continues.