Compliance Helper Blog

Siemens to FedEx to Lincoln: Oops 130,495 Patient Records Breached by Two Business Associates.

Posted July 2, 2010 09:12 AM by Jack Anderson CEO Compliance Helper    

Sending unencrypted PHI through a carrier is a violation of any good privacy and security policies and procedures, and a CE should be managing their BAs better. Periodic risk assessments can lead to an evaluation of your policies and procedures that would reveal these gaps in your security and privacy program.

What is interesting to me is that the hospital says that they are not using FedEx to ship patient records anymore.  So does this mean that they are trusting USPS or UPS or have they realized that encryption might be a good idea?

 

Here is the article from Computerworld:

New York hospital loses data on 130,000 via FedEx

Breach affects 130,495 patients
  • Robert McMillan (IDG News Service/San Francisco Bureau)
  • 30 June, 2010 15:46
New York's Lincoln Medical and Mental Health Center is notifying patients that their personal information may have been compromised after seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit.

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

The breach affects 130,495 patients, according to a notification posted Tuesday by the U.S. Department of Health and Human Services.

"FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed," the hospital said in a letter sent to victims, dated June 4.

The CD was password-protected but unencrypted, the letter states.

Companies have begun taking better care of their customers' data in recent years, as they've had to foot multimillion-dollar bills following similar incidents. According to the Ponemon Institute, a security research firm, the average U.S. data breach costs companies more than US$200 per record .

Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.


Add Your Comments

(not published)