PHI of 6,600 Patients in New York and New Jersey Exposed

by | Dec 19, 2017

NYU Langone Health System has found that files that included a log of presurgical insurance authorizations, relating to around 2,000 patients, was mistakenly recycled by a cleaning company in October 2017.

Data in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID details. In some cases, brief notes may have been included, along with insurance approvals/denials and current inpatient/outpatient status. No Social Security details were recorded in the paperwork, and neither any financial idata.

As is necessary to comply with by HIPAA, NYU Langone Health System had put in place a policy that requires all PHI to be disposed of securely when it is no longer needed, normally by shredding documents. As the binder was taken for recycling by mistake, that did not occur.

Since insurance ID details were present in the logs, NYU Langone Health System has contacted all affected patients to offer complimentary identity theft protection services and cyber monitoring services through ID Experts for 12 months.

To avoid similar incidents from happening in the future, staff have been retrained on the importance of safeguarding patient information and practice workflow has been refreshed to improve the security of sensitive patient information. No reports have been received to suggest any information has been used improperly.

Chilton Medical Center HIPAA Breach Affects 4,600 People

Pequannock, NJ Chilton Medical Center (CMC) has found that a member of staff stole and sold computer hardware containing the PHI of clients. Names, addresses, medical record details, dates of birth, details of allergies and medications received at CMC were saved on an external hard drive that was removed by a staff member and sold on the Internet.

The sale of the hard drive was signed off on by CMC and was in breach of the medical center’s policies. The incident has been reported to the law enforcement agencies as a theft and the Morris County Prosecutor’s Office has been notified. According to the breach notice published on the medical center’s website, the worker no longer is employed at CMC.

Upon finding the breach, an internal investigation was kicked off, and it became apparent that this was not the first occasion that computer hardware and assets had been taken by the former employee and sold on the Internet. Those additional devices and assets are not thought to have stored any patient information, although the investigation is continuing.

Patients affected by the incident had attended CMC for medical services between May 1, 2008 and October 15, 2017. All patients affected were notified of the security incident on December 15, 2017. CMC said additional processes and security measures have been implemented to prevent incidents such as this from occurring again.

The incident has been filed with the Department of Health and Human’ Services Office for Civil Rights (OCR). The breach report suggests 4,600 patients have been put in danger.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy