New York Breach Affects 1.7 Million

Largest Incident Reported So Far Under HITECH Rule
New York Breach Affects 1.7 Million
Some 1.7 million individuals are being notified of a health information breach incident involving data from The New York City Health and Hospitals Corp. It's the largest breach reported so far under the HITECH Act breach notification rule, which went into effect in September 2009.

Computer backup tapes from the New York provider were stolen on Dec. 23, 2010, from a truck that was transporting them to a secure storage location, according to a website statement from the NYC organization and its letter to those affected. The unencrypted tapes included information on patients and hospital staff from the North Bronx Healthcare Network, a unit of the NYC Health and Hospitals Corp. That network includes Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center and Gunhill Health Center. Also on the tapes was information the hospitals' occupational health services collected about employees of vendors and contractors.

The information lost, which was collected during the past 20 years, includes: names, addresses, Social Security numbers, patient medical histories and the occupational/employee health information of staff, vendors, contractors and others, according to the statement.

All those affected are being offered one year of free credit protection services.

Breach Incident Details

The tapes were stolen from a truck operated by GRM Information Management Services while the files were being transported to a secure storage location, according to the provider organization. "The incident was reported by GRM to both North Bronx officials and the police the same day, and an investigation was launched immediately," the letter to those affected stated. "To date, these tapes have not been recovered."

In its website statement, the organization noted, "The theft occurred while the GRM van was left unattended and unlocked while the driver made other pickups. GRM reported the incident to the police and dismissed the driver of the vehicle."

The statement also noted: "The data in the stolen files is not readily accessible without highly specialized technical expertise and data mining tools, and there is no evidence to indicate that the information has been accessed and misused."

NYC Health and Hospitals said the loss of the data "occurred through the negligence of a contracted firm that specialized in the secure transport and storage of sensitive data, but HHC is taking responsibility for providing information and credit monitoring services to any affected individual who may be worried about the possibility of identity theft."

Breach Prevention Steps

The provider organization said it has "taken immediate measures to prevent a similar situation from reoccurring; has terminated the contract with the vendor responsible for the loss; and has filed a lawsuit against the vendor to hold it responsible for covering all of the costs associated with notifying all affected individuals and to pay for other damages related to the loss of the data."

A spokesman for NYC Health and Hospitals told HealthcareInfoSecurity that while the organization has encrypted most of its backup files, the tapes that were stolen, unfortunately, had not yet been encrypted.

"HHC has been undergoing a multi-year data center consolidation project, which requires the careful transition and transfer of all data backup systems to the new center for storage," the spokesman said. "As part of this process, HHC had to standardize data systems across the hospitals and encrypt all clinical systems backups. HHC has already encrypted more than 80 percent of the data. The Jacobi and NCB hospital system files were scheduled for the necessary migration and encryption in March 2011."

Despite the lack of encryption, the stolen files will be difficult to decipher, the spokesman contended. "Although the data were not encrypted, it exists in a proprietary program that scrambles the records and would make it difficult for individuals without specialized technical expertise and access to the right software and computer hardware to view the private information."

As a result of the breach incident, the organization has suspended the transport of unencrypted backup files to off-site storage "and will expedite its plan to upgrade critical data to the 256-bit advanced encryption standard, considered by the federal government as the highest level of protection against tampering," the spokesman said. "At the time of the theft, HHC had already upgraded and encrypted nearly 80 percent of the 1,568 systems applications used throughout the corporation. The upgrade is expected to be completed by the fall of 2011."

The spokesman also said the organization will hire a new vendor to handle offsite backup data, which will be "stored in highly protected facilities that have climate-controlled, dedicated tape vaults, secure keycard access, video surveillance and trained personnel."

Thefts Lead to Breaches

All of the three largest health information breaches reported so far under the HITECH Act breach notification rule have involved thefts.

The other two largest breaches reported to the Department of Health and Human Services' Office for Civil Rights are:

  • An incident at AvMed Health Plan, which alerted more than 1.2 million about a breach related to the theft of a laptop.
  • An incident at BlueCross BlueShield of Tennessee, which informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network