NYU Langone Health System has found that files that included a log of presurgical insurance authorizations, relating to around 2,000 patients, was mistakenly recycled by a cleaning company in October 2017.
Data in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID details. In some cases, brief notes may have been included, along with insurance approvals/denials and current inpatient/outpatient status. No Social Security details were recorded in the paperwork, and neither any financial idata.
As is necessary to comply with by HIPAA, NYU Langone Health System had put in place a policy that requires all PHI to be disposed of securely when it is no longer needed, normally by shredding documents. As the binder was taken for recycling by mistake, that did not occur.
Since insurance ID details were present in the logs, NYU Langone Health System has contacted all affected patients to offer complimentary identity theft protection services and cyber monitoring services through ID Experts for 12 months.
To avoid similar incidents from happening in the future, staff have been retrained on the importance of safeguarding patient information and practice workflow has been refreshed to improve the security of sensitive patient information. No reports have been received to suggest any information has been used improperly.
Chilton Medical Center HIPAA Breach Affects 4,600 People
Pequannock, NJ Chilton Medical Center (CMC) has found that a member of staff stole and sold computer hardware containing the PHI of clients. Names, addresses, medical record details, dates of birth, details of allergies and medications received at CMC were saved on an external hard drive that was removed by a staff member and sold on the Internet.
The sale of the hard drive was signed off on by CMC and was in breach of the medical center’s policies. The incident has been reported to the law enforcement agencies as a theft and the Morris County Prosecutor’s Office has been notified. According to the breach notice published on the medical center’s website, the worker no longer is employed at CMC.
Upon finding the breach, an internal investigation was kicked off, and it became apparent that this was not the first occasion that computer hardware and assets had been taken by the former employee and sold on the Internet. Those additional devices and assets are not thought to have stored any patient information, although the investigation is continuing.
Patients affected by the incident had attended CMC for medical services between May 1, 2008 and October 15, 2017. All patients affected were notified of the security incident on December 15, 2017. CMC said additional processes and security measures have been implemented to prevent incidents such as this from occurring again.
The incident has been filed with the Department of Health and Human’ Services Office for Civil Rights (OCR). The breach report suggests 4,600 patients have been put in danger.