The New York City Health and Hospitals Corporation (HHC) has begun to notify nearly 1.7 million patients and hospital staff, as well as the employees of vendors, contractors, and others about a recent reported theft of electronic files that contained their personal or protected health information (PHI). All notified parties were served by and/or provided services for or at Jacobi Medical Center, North Central Bronx Hospital and their two affiliated health centers during the past 20 years.

HHC executives issued a statement regarding the notification on Feb. 11.

The data in the stolen files is not readily accessible without highly specialized technical expertise and data-mining tools, and there is no evidence to indicate that the information has been accessed and misused, the executives said.

[See also: Kroll names top 10 data security issues for 2011.]

“Nonetheless, HHC has taken decisive steps to protect the individuals who are potentially affected,” they said.

HHC is offering free credit monitoring and fraud resolution services for one year and has opened a toll-free phone information hotline at 877-412-7148. Those affected may also call 311 for information. Special customer care centers will open at both hospitals today.
 
“We value and protect privacy and confidentiality and deeply regret any inconvenience and concern this may create for our patients, staff and others affected," said HHC President Alan D. Aviles. "The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data, but HHC is taking responsibility for providing information and credit monitoring services to any affected individual who may be worried about the possibility of identity theft.”
 
The files were reported stolen on Dec. 23, from a vehicle operated by GRM Information Management Services. The theft occurred while the GRM van was left unattended and unlocked while the driver made other pickups. GRM reported the incident to the police and dismissed the driver of the vehicle. To date, the files have not been recovered.

[See also: Mass. hospital investigating the potential loss of back-up data for 800,000 individuals .]

HHC has taken immediate measures to prevent a similar situation from reoccurring. It has terminated the contract with the vendor responsible for the loss, and has filed a lawsuit against the vendor to hold it responsible for covering all of the costs associated with notifying all affected individuals, and to pay for other damages related to the loss of the data.
 
In addition to patient PHI, the stolen files contained personal information collected from staff, vendors and contractors by the hospitals’ occupational health services. They also included personal information of the hospitals’ staff, vendors, and contractors that is electronically filed in order for these individuals to conduct their business at or provide services for the hospitals. PHI and personal information can include names, addresses, Social Security numbers, patients’ medical histories and the occupational/employee health information of staff, vendors, contractors and others.