Stolen Hard Drive Affects 82,000

Unencrypted Device Taken From Parked Car
Stolen Hard Drive Affects 82,000
A breach involving the theft of an unencrypted hard drive from a car has affected more than 82,000 patients treated at healthcare systems in New Jersey and Illinois, according to the official federal tally of major health information breaches.

The breach involved an employee of MedAssets, a business associate of the healthcare systems that provides administrative and business services.

The Department of Health and Human Services' Office for Civil Rights reports that 50,167 patients at six hospitals in the Saint Barnabas Health Care System in New Jersey, plus 32,0008 at the Cook County Health & Hospitals System in Chicago, were affected by the June 24 breach.

An announcement on the Saint Barnabas website notes that the external hard drive was stolen from a MedAssets' employee's car while it was parked outside a restaurant. The hard drive was neither password protected nor encrypted, according to a statement on the Cook County system's website.

The healthcare organizations report that the drives included such information as patient names, account numbers and other administrative information. While Cook County reports no addresses, birth dates or Social Security numbers of its patients were on the hard drives, Saint Barnabas says dates of birth were included for certain patients, along with Social Security numbers for about 7 percent of affected patients.

The healthcare organizations report there is no evidence yet that the information on the drive has been improperly accessed or used. "MedAssets has provided written confirmation that it is implementing improved privacy safeguards to avoid similar incidents in the future, including eliminating the use of all unencrypted hard drives used for data backup by its employees and strengthening the enforcement of its existing policy prohibiting their use," according to the Saint Barnabas statement. "We have also directed that MedAssets provide patient privacy retraining to its employees working at our facilities."

The Cook County system's statement notes that, unrelated to this incident, it no longer uses MedAssets as a vendor.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.