FDNY loses hard drive with PHI of more than 10,000 patients
The New York City Fire Department (FDNY), which operates ambulances, disclosed in August that 10,253 patients treated or transported by the FDNY from 2011 to 2018 may have had their protected health information (PHI) compromised after an external hard drive containing unencrypted data went missing in March, according to an FDNY press release.
The hard drive, a portable data-storage device, “belonged to an employee authorized to access FDNY patient information,” the FDNY wrote in a letter to those affected. The FDNY stated that the employee uploaded PHI to the personal hard drive, which was subsequently lost. An FDNY investigation into the incident found that the data was unencrypted, putting the patients’ PHI at risk.
The affected patients were notified in August, five months after the FDNY was notified of the lost hard drive. HIPAA requires that individuals be notified no later than 60 days after a breach is discovered. The FDNY is offering complimentary credit monitoring to the nearly 3,000 people whose Social Security numbers were potentially exposed.
The incident highlighted the continuing privacy and security risks associated with mobile devices containing PHI.
“This was not a hacking, but a loss of data caused by one employee’s failure to follow the department’s data security policies,” FDNY spokesman Myles Miller told the New York Post, which reported that the employee is under an internal investigation and faces disciplinary measures.
In the wake of the incident, FDNY employees with access to high-level PHI were retrained to prevent future incidents.