A letter dated June 4 from Lincoln Medical and Mental Health in Bronx, NY notifies 130,945 patients that the security of their protected health information (PHI) has been compromised. Seven CDs created by Siemens Medical Solutions USA, Inc., a company that performs billing and claims processing for Lincoln, were lost while in transit to the hospital “sometime between March 16 and 24.”

“Unfortunately,” the hospital writes in the letter, “the missing CDs contain some of your protected health information, including your name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly your driver’s license number if provided.”

According to the letter, both FedEx (the carrier responsible for the lost CDs) and Siemens conducted an investigation to no avail. The New York City Health and Hospitals Corporation (HHC), which operates Lincoln, was subsequently notified in an April 2 letter.

Although “Lincoln has no knowledge that the protected health information has been improperly accessed by any person,” the hospital says in a notice posted on its website, HHC has suspended further transport of CDs by carrier between Siemens and Lincoln.

Because the PHI on the CDs was not encrypted, Lincoln was required by law to post the data breach on the Health and Human Services (HHS) website.

3 Responses to “NY Hospital Data Breach Affects Thousands”

1. Pam Brooks, PCS, CPC Says:
   July 21st, 2010 at 11:42 am

   I’m shocked to learn that the data on the CDs was not encrypted, and even more surprised to learn that the information was sent via Fed Ex. What??? Pony Express wasn’t working that day?? It’s time Lincoln writes themselves (and follows) a policy on transmission and release of confidential and sensitive medical information.

   All the more reason for facilities and practices to insist that coding and billing work be done on-site and within a secure server!

2. Ann Starnes, CPC Says:
   July 21st, 2010 at 12:11 pm

   It is shocking that the CDs were not encrypted and kept safe. I agree that facilities and practices might want to have things done on-site. They should also have a monitoring system that would notify them if employees who should not review the patient records are trying to.

3. Dale Says:
   July 22nd, 2010 at 8:39 am

   I don’t believe this is an issue of whether work should be perfomed on site. There are ways for those who work off-site to effectively and efficiently work. The information on the CD could have been transferred to the hospital electronically instead. This problem seems to be one of no encryption on the CD or at least password protected. And of course the carelessness of the delivery process should be reviewed as well.

Add a Comment

Name (required)

Email Address (will not be published) (required)

Attention: AAPC does not regularly monitor comments posted here. For customer service issues, contact us. In addition, we recommend posting your questions to the AAPC forums.

CAPTCHA Code *