Emory Healthcare in Atlanta says that it
has misplaced 10 backup disks containing information for 315,000 patients.
The health system provides clinical care as part of the Robert W. Woodruff Health Sciences
Center of Emory University.
Emory announced the data breach on April 18. The health system
didn’t immediately respond to eWEEK‘s
request for comment.
The 10 disks held data on surgical patients treated between
September 1990 and April 2007, the health system reported. The disks are
missing from a storage location at Emory University Hospital.
The locations where affected patients were treated include Emory
University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center.
Of the 315,000 patient files on the disks, 228,000 included Social
Security numbers. Other information at risk included patient names, dates of
surgery, diagnoses and procedure codes. Names of surgeons and anesthesiologists
that the patients had seen were also included in the records.
The disks contained old data from software Emory deactivated in
2007. The hospital’s IT systems were not hacked into, the health system
“We sincerely regret this incident and want
to assure our patients that we are committed to safeguarding their personal
information,” John T. Fox, president and CEO of Emory Healthcare, said in
a statement. “While we have no evidence at this time that any personal
information has been misused as a result of this incident, we want to take all
precautions to ensure our patients’ information is safe.”
Fox’s own data may have been included on the disks,
since he had surgery at the hospital during the period the data covers, the Atlanta Journal-Constitution reported.
Emory stored the unencrypted disks in an unlocked cabinet, although the office was
locked at night, Fox said at an April 18 press conference, according to the Journal-Constitution.
Although the disks contained data for outdated
software no longer in use, those companies that do use outdated systems or
firewalls are more at risk of a data breach, experts say.
The disks disappeared between Feb. 7 and Feb. 20, according to Emory, and
the health system informed patients beginning April 17.
We have taken immediate steps to fortify the protective measures that are already in place,” Emory wrote in its letter
to patients. “New and enhanced data control measures have been implemented
Emory didn’t specify which data control measures have been implemented,
The hospital system has set up a Web
site and a hotline (855-205-6950) for patients to inquire about
the breach. It will also provide patients with identity protection through IT
security provider Kroll.
In an April 11 report, Kroll and HIMSS Analytics suggested
that health care organizations need to step up in forming policies regarding patient data security. Methods to tighten security include stricter hiring practices,
more background checks and minimizing data access, said Lisa Gallagher, senior
director of privacy and security for HIMSS.
Another recent data breach occurred at the Utah Department of
Technology Services when a hacker from Eastern Europe broke into a
server holding Social Security numbers for Medicaid claims. A weak password was
to blame for the incident.