The Breach Blog: CDs lost enroute to Lincoln Medical and Health Center affect 130,495 patients

The Breach Blog, from FRSecure

CDs lost enroute to Lincoln Medical and Health Center affect 130,495 patients

Date Reported:

6/29/10

Organization:
The City of New York

Contractor/Consultant/Branch:
The New York City Health and Hospitals Corporation (HHC)
Lincoln Medical and Mental Health Center
Siemens Medical Solutions USA
FedEx

Location:
Bronx, New York

Victims:
Patients

Number Affected:
130,495

Types of Data:
"some protected health and personal information of patients including name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly a driver's license number if provided."

Breach Description:
"Sometime between March 16 and 24, 2010, a weekly shipment of seven duplicate compact disks (CDs) in the custody of FedEx, were lost while being transported to Lincoln Hospital." The CDs contained unencrypted sensitive personal information belonging to patients of Lincoln Hospital.

Reference URL:
Notification from Lincoln Hospital
BusinessWeek
U.S. Department of Health and Human Services
ComputerWorld
The Register

Report Credit:
Lincoln Hospital via The U.S. Department of Health and Human Services

Response:
From the online sources cited above:

New York's Lincoln Medical and Mental Health Center is notifying patients that their personal information may have been compromised after seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit.
[Evan] Do people really think that sending something via FedEx (or UPS, U.S. Mail, courier, etc.) is a secure method of shipment? We have read many stories over the years of shipments becoming lost or stolen. In my opinion, this behavior crosses the line of just being a mistake. It's just plain dumb.

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination.
[Evan] According to the hospital's notification, these shipments were sent weekly. Ugh.

They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

The breach affects 130,495 patients, according to a notification posted Tuesday by the U.S. Department of Health and Human Services.

"FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed," the hospital said in a letter sent to victims, dated June 4.
[Evan] That's a nice suggestion, but the owners of the information deserve more assurance than a suggestion.

The CD was password-protected but unencrypted, the letter states.
[Evan] Amazing. Somebody though to protect the information through the use of authentication, but neglected to consider encryption?

Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

Commentary:
There are at least five organizations involved in this breach, and four of them seem to deserve the most blame. In my opinion, FedEx is least to blame. Breaches involving dumb, risky behavior really irk me. There are so many things wrong with this, that I don't even know where to begin.

Past Breaches:
Unknown

Posted by Evan Francen at 7/2/2010 11:50 AM