FedEx Loses Disks, 130,495 Affected

Overnight shipper FedEx in March lost seven CDs containing protected health information, causing Lincoln Medical and Mental Health Center in Bronx, N.Y., to recently notify 130,495 patients that their information may have been breached.

The disks, which were password protected but not encrypted, were lost while being transported to Lincoln from Siemens Medical Solutions, which performs billing and claims services for the hospital. The disks had a wide range of patient information: names, addresses, Social Security numbers, medical record numbers, patient numbers, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and some driver's license numbers.

"Please note that Lincoln has no knowledge that your protected health information, has, in fact, been improperly accessed by any person or entity," the notification letter to patients states. "Although the CDs are not protected by a form of technology that renders them unreadable, they are password protected. Furthermore, FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed."

The letter explains how to order free credit reports, place a credit alert on consumer credit files, monitor account activities to prevent fraud and monitor medical records to prevent medical identity theft. The hospital is not offering affected patients free identity theft and credit protection services, which now is a common but not universal practice.

Transportation of CDs from Siemens to Lincoln was suspended after the incident and the organizations are developing new ways to exchange the information, according to the letter.

Neither the patient letter of notification nor a public notification on the hospital's Web site mention the breach affected 130,495 patients. That number comes from a federal government Web site that lists reported breaches affecting 500 or more individuals since September 2009. More than 100 organizations now are on the list, mandated under the HITECH Act and available here.

A spokesperson for the hospital could not immediately provide additional details of the breach and reasons for not offering credit and identity protection services. To access the hospital's public notice and the patient notification letter, click here, then scroll down and click on Data Security Breach.

--Joseph Goedert

For reprint and licensing requests for this article, click here.