The personal information of more than 10,000 FDNY EMS patients may have been compromised by a loss of an agency employee’s personal external hard drive earlier this year.
By Forum Staff
The City Fire Department recently notified more than 10,000 patients whom the FDNY EMS had previously treated and/or transported that their personal information may have been compromised by a loss of an agency employee’s personal external hard drive earlier this year.
The employee, who was authorized to access the records, had uploaded the information onto the personal external device, which was reported missing.
“On March 4, 2019, the New York City Fire Department (‘FDNY’) was notified that an FDNY employee’s personal portable hard drive was reported missing from an FDNY facility. This hard drive is a portable electronic data storage device that can be attached to a computer. It belonged to an employee authorized to access FDNY patient information and contained confidential personal information about patients who had been treated and/or transported by an FDNY ambulance. FDNY immediately initiated an expansive investigation which took several months to determine whether any patient data was involved, and then to also identify each and every patient whose PHI was involved. Now that the investigation is complete, FDNY is contacting all individuals whose PHI was contained on the missing hard drive,” a portion of the letter reads. “During the investigation, it was determined that the missing hard drive was unencrypted, which might allow the information it contained to be accessed by an unauthorized individual. There is no indication that information stored on the device has been accessed, but FDNY has chosen to err on the side of caution and treat this incident as though the information may have been seen by an unauthorized individual or individuals. That is the reason that you are receiving this Notice.”
The FDNY has notified the impacted patients. Further, 3,000 patients whose Social Security numbers may have been compromised are being offered free credit monitoring.
The 10,253 patients who were notified this week by mail of the data breach were all treated and or transported by EMS during the period from 2011 to 2018.
“The FDNY operates emergency ambulances in the New York City 911 System,” another portion of the letter reads. “A patient care report is created by the FDNY for each emergency call to which an ambulance responds. The patient care report contains personal information about the patient that may include name, address, gender, telephone number, date of birth, insurance information number as well as health information related to the reason for the ambulance call. Our records indicate that you were treated and/or transported by the FDNY. Your personal information may have been included on the patient care report for that call.”
The FDNY is following the Health Insurance Portability and Accountability Act of 1996 guidelines in notifying all persons whose information may have been compromised. The loss of the external drive was also reported to the City Police Department and internally to FDNY fire marshals and investigated.
Patients can call toll-free (877) 213-1732 between the hours of 9 a.m. – 9 p.m. if they have any questions about the breach or if they think their personal information was included in the breach.