The Lincoln Medical and Mental Health Center in New York has notified over 130,000 patients that their personal and medical data was potentially exposed because several CDs containing it were lost. The disks disappeared while being transported from the billing processor to the hospital via FedEx.
The CDs apparently contained a wealth of information valuable to identity thieves. In a notification
about the incident posted on its website the hospital reveals that data included personally identifiable information (PII) like Social Security numbers, addresses, dates of birth, and even driver's license in some cases.
This information alone would be enough to open a credit line in the name of a patient, but unfortunately, the disks also contained associated medical data. This includes health plan numbers and descriptions of the medical procedures they underwent, opening the door to even more complex identity theft attacks.
According to Lincoln Hospital the CDs originated from one of its contractors, Siemens Medical Solutions USA, which shipped them through FedEx, as every other week. It is also noted that since the incident occurred, new policies have been put into place which require Siemens to stop sensitive data via carriers.
The hospital mentioned that the data was password-protected, but did not reveal any specifics about the technology used. However, since the hospital notified the U.S. Department of Health and Human Services about the incident, it can be reasonably concluded that the data was not properly encrypted. This is because regulations
covering the breach of health information only requires entities to provide notifications if the data "has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance."
According to a note
on the U.S. Department of Health and Human Services website, the Lincoln Hospital breach affects 130,495 individuals. The letter sent by the hospital to its patient contains instructions on how to protect themselves against identity theft and how to obtain free credit reports.You can follow the editor on Twitter @lconstantin