April is a cruel month for medical records breaches

Personal information on 315,000 patients of Atlanta-based Emory Healthcare is missing, the hospital system announced.

The information was on 10 backup disks and contained information on surgical patients treated at Emory University Hospital, Emory University Hospital Midtown and The Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007.

In addition to patient names, procedures, surgeon names, dates of surgery and diagnoses, the disks also had 228,000 patient Social Security numbers. Emory began mailing letters to patients informing them of the situation April 17. It also set up a toll free hotline for patient questions.


Related coverage:

Victim list in Utah medical-records hack grows to 780,000


An internal investigation concluded the disks were removed sometime between Feb. 7 and Feb. 20, 2012. There was no hacking of Emory's electronic medical records or other systems.

"While we have no evidence at this time that any personal information has been misused as a result of this incident, we want to take all precautions to ensure our patients' information is safe," said John T. Fox, president and CEO of Emory Healthcare, adding that Emory would provide affected patients credit monitoring and identity protection services.

The Emory breach is the second major medical information security breach reported in as many weeks. In Utah, a password authentication configuration error recently allowed hackers to steal up to 280,000 Social Security numbers and information on as many as 780,000 individuals, GCN reported.

In Emory's case, the disks were kept in an employee's office cabinet in a hallway with restricted access, reported WSBTV2 . The employee did not properly secure the disks but will not face disciplinary action, the station reorted. Since the disks were not labeled “patient information,” few people would know what they contained, Fox said in the article.

The data was in an obsolete, rarely used format for a software system deactivated in 2007. In addition, a special piece of equipment is needed to read the disks. The last time data was accessed in the system was 2010.

A recent survey found employee error to be the primary cause of security breaches if U.S. healthcare providers. Twenty-seven percent of the 250 providers surveyed experienced at least one security breach in the past year.

As a result of the incident, Emory Healthcare “has launched an institution-wide initiative to reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information. In addition, Emory is conducting a comprehensive inventory of all physical spaces across the system to ensure data are properly secured,” the hospital system said.  


About the Author

Kathleen Hickey is a freelance writer for GCN.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above