Loss of unencrypted hard drive by FDNY worker puts data at risk

The Fire Department of the City of New York is sending data breach notifications after the loss of an unencrypted external hard drive with patient information.

The incident, which occurred in March, may have exposed the protected healthcare information of 10,253 individuals. The department is reporting that an employee lost the unencrypted hard drive after uploading patient data onto a personal device.

NYPD Officers And FDNY Members As Police Are Redeployed In Response To Paris Attack

The atypical incident is a reminder that the fire departments in the U.S. are also subject to HIPAA privacy and security regulations. To date, there is no evidence that data on the employee’s personal device has been accessed.

Affected patients were treated or transported by emergency medical services from 2011 to 2018.

During the investigation, researchers determined that the missing hard drive was unencrypted, which might allow the information to be accessed by an unauthorized individual, the department told affected persons in a breach notification letter.

“There is no indication that information stored on the device has been accessed, but FDNY has chosen to err on the side of caution and treat this incident as though the information may have been seen by an unauthorized individual or individuals. That is the reason you are receiving this notice.”

About 3,000 patients whose Social Security numbers may have been compromised are receiving free credit monitoring services for one year through Equifax.

Protected health information at risk includes names, addresses, gender, telephone numbers, dates of birth, insurance information numbers and heath information related to the reason for an ambulance call.

After the breach, the fire department retrained all employees that had high-level access to protected health information. In addition to the protective services offered to patients with possible compromised Social Security numbers, the department advised all affected persons to review Federal Trade Commission guidelines on additional protective steps to take.

For reprint and licensing requests for this article, click here.