Stolen Hard Drive Affects 82,000Unencrypted Device Taken From Parked Car
The breach involved an employee of MedAssets, a business associate of the healthcare systems that provides administrative and business services.
The Department of Health and Human Services' Office for Civil Rights reports that 50,167 patients at six hospitals in the Saint Barnabas Health Care System in New Jersey, plus 32,0008 at the Cook County Health & Hospitals System in Chicago, were affected by the June 24 breach.
An announcement on the Saint Barnabas website notes that the external hard drive was stolen from a MedAssets' employee's car while it was parked outside a restaurant. The hard drive was neither password protected nor encrypted, according to a statement on the Cook County system's website.
The healthcare organizations report that the drives included such information as patient names, account numbers and other administrative information. While Cook County reports no addresses, birth dates or Social Security numbers of its patients were on the hard drives, Saint Barnabas says dates of birth were included for certain patients, along with Social Security numbers for about 7 percent of affected patients.
The healthcare organizations report there is no evidence yet that the information on the drive has been improperly accessed or used. "MedAssets has provided written confirmation that it is implementing improved privacy safeguards to avoid similar incidents in the future, including eliminating the use of all unencrypted hard drives used for data backup by its employees and strengthening the enforcement of its existing policy prohibiting their use," according to the Saint Barnabas statement. "We have also directed that MedAssets provide patient privacy retraining to its employees working at our facilities."
The Cook County system's statement notes that, unrelated to this incident, it no longer uses MedAssets as a vendor.