About 14,000 Patients Impacted by Data Breaches at FDNY and Perry County Medical Center

The New York Fire Department (FDNY) ambulance had taken over 10,000 EMS patients to the hospital from 2011 to 2018. Sadly, some of the patients’ protected health information (PHI) were exposed.

FDNY spokesperson Myles Miller said one employee failed to follow the data security policies of the department, which resulted to a loss of data.

The fire department discovered on March 4, 2019 that a personal hard drive of an employee was missing. The employee used the hard drive to store documents that contain patient data including patient care reports.

When there is a 911 call requiring an ambulance, a patient care report is generated. The stored reports contained the data of 10,253 patients, which include their names, addresses, phone numbers, birth dates, insurance information, health condition, and the Social Security numbers of about 3,000 patients.

FDNY is now notifiying all people affected by the breach. Those who had their Social Security numbers exposed were offered free credit monitoring services. FDNY is responding to the breach as though an unauthorized person has accessed the information.

The employee concerned had authority to access patient data but he was not permitted to store the files with PHI in a personal, unencrypted hard drive. FDNY will impose disciplinary measures on the employee. All employees allowed to access medical data will also undergo retraining.

Email Account Breach at Tennessee Health Group

Perry County Medical Center in Linden, TN, dba Three Rivers Community Health Group, learned that an unauthorized person accessed the email account of an employee.

The center discovered the email account breach on May 28, 2019. The forensic investigators confirmed the possibility that patient data was viewed or copied.

The emails and email attachments contained the following types of data: names, birth dates, doctor’s name, dates of service, pharmacy and prescription details, and insurance group ID numbers. Only the first and last names of a number of patients were exposed.

The medical center notified the affected patients on July 26, 2019 and is currently taking steps to stop the occurrence of similar breaches down the road.

The breach summary on the HHS’ Office for Civil Rights breach portal states that the breach impacted 3,812 patients.