Quick Facts

• Date: 3/29/2011
• Institution: New York University, Langone Medical Center
• Type of Incident: Theft
• Number Affected: 670 (2 Social Security Numbers)
• Source: OSF DataLoss DB
• Abstract Source: NYU Langone Medical Center Breach Notification

Abstract
New York University Langone Medical Center recently announced that patient information may be at risk following the theft of a computer from a physician's office. The computer, used for research and stolen from the NYU School of Medicine Faculty Group Practice on January 27, contained the names, diagnosis, results of diagnostic tests, and clinical information gathered during office visits on 653 patients between April 1999 and September 2008. An additional 26 letters were sent to individuals whose medical record numbers, home addresses, dates of birth, occupation and, in two cases, Social Security numbers may have been contained on the computer. A suspect in the theft has been arrested but the stolen computer was not recovered at the time. NYU Langone has setup a hotline - 1-877-698-2333 - to help provide more information to those affected by the theft.

Quick Facts

• Date: 3/18/2011
• Institution: University of Kent
• Type of Incident: Unauthorized Disclosure
• Number Affected: 615
• Source: ESI
• Abstract Source: ZDNet

Abstract
The University of Kent recently responded to a mistake that exposed the personal information of students registered with the Disability and Dyslexia Support Services at the university. The email, sent to inform students of arrangement being made for final exams, contained the names of 615 students in the CC field, exposing their names, email addresses and the fact that they receive support from Disability and Dyslexia Support Services to the other students. In a second email university officials apologized for the disclosure of protected information and had reported the incident to the Office of the Information Commissioner.

Quick Facts

• Date: 3/9/2011
• Institution: University of Massachusetts Amherst
• Type of Incident: Penetration
• Number Affected: 942
• Source: ESI
• Abstract Source: Health Data Management
• Update1 Source: UMass Press Release

Abstract
The University of Massachusetts Amherst began notifying individuals on March 7 after an investigation concluded a breach placed protected health information at risk. The breach, which involved a malware infection on a workstation that could have allowed unauthorized access, involved the names, insurance information, medical record numbers, medication information, physician information, pharmacist information and prescription history of 942 UMass Amherst Health Center patients. UMass staff became aware of the breach on October 28, 2010 and launched an investigation that was finished on Feb 1, 2011. The investigation discovered that the breach initially occurred on June 30, 2010. When asked about the 60 day notification requirement, the university believes it is in compliance since the notification was made less than 60 days after the investigation was concluded. A UMass spokesperson said the university feels the best process is to advise individuals to monitor their accounts and credit reports for unauthorized activity and will not offer free credit protection. Internally, UMass has implemented several steps to help increase security including installing automated software to detect unauthorized activity, increased staff training and will improve the identification of personal information on departmental computers.

Update1
For more information, here is a link to the UMass Press Release.

Quick Facts

• Date: 3/7/2011
• Institution: University of Massachusetts Amherst
• Type of Incident: Penetration
• Number Affected: 942
• Source: DataLoss DB
• Abstract Source: Health Data Management, University of Massachusetts News Release

Abstract
The University of Massachusetts recently notified individuals after staff discovered malware on a computer containing protected health information. The computer, used in UMass's University Health Services, contained the names, health insurance company and medical record numbers on 942 UHS patients. In addition, the computer contained the prescription information, including medication, pharmacist, quantity, length of prescription and physician between Jan 2009 and Nov 2009 for these patients. The computer was originally infected in June 2010 and was corrected by the end of Oct 2010. A follow up investigation did not find any evidence that the protected health information was copied. In the letter, UMass officials advise affected individuals to monitor their health insurance information for any unusual activity but believes the likelihood of problems to be very low. UMass has responded to the incident by increasing training of UHS staff, installing automated software to discover malware infections and increasing efforts to discover protected information on desktops and workstations.

Quick Facts

• Date: 2/3/2011
• Institution: University of Washington
• Type of Incident: Unauthorized Disclosure
• Number Affected: 17 (via PHIPrivacy.net)
• Source: PHIPrivacy.net
• Abstract Source: KING5

Abstract
KING5 was recently contacted by an individual that obtained University of Washington medical records while purchasing surplus furniture. The information is stored on 19 DVDs and one paper record and is comprised of mostly X-ray and MRI images of spines. KING5 Allen Schauffler was able to trace Vicki Goetz, whose name, along with phone number, was on a post-it note attached to a DVD. According to Goetz, she was a patient of the UW Bone and Joint Center and had two different surgeries there before finding another doctor. UW has stated that they are not sure how these files could have been left in surplus furniture but offers apologies to everyone affected. A UW spokesperson also said the university is reviewing policies and procedures and will work to tighten things up.