FDNY notifies more than 10K patients of possible data breach
An FDNY employee lost an unencrypted hard drive containing patient care reports made between 2011 and 2018
By Paul Liotta
Staten Island Advance, N.Y.
STATEN ISLAND, N.Y. — More than 10,000 ambulance patients’ personal data was put at risk after an FDNY employee lost his personal hard drive in March, the department announced Friday.
An FDNY media release said the personal data, including at least 3,000 Social Security numbers, were transferred to the external device by an employee who had authorized access to the information.
Whether FDNY rules were violated is still under investigation, and the unidentified individual is facing disciplinary action, according to a spokesman for the department.
That spokesman could not say where in the city the patients live, but the media release said the FDNY notified 10,253 patients of the possible breach this week by mail, even though the employee reported the hard drive missing March 4.
In a sample letter shared with the media, the FDNY said the device was unencrypted, and that the data on the hard drive included patient care reports made between 2011 and 2018.
Information on those reports includes the name, address, gender, telephone number, date of birth, insurance information and the patient’s health information related to the reason for the ambulance call.
According to the sample letter the FDNY shared, the department’s investigation determined the missing device was unencrypted, but that there was no indication that information on the device had been accessed.
The FDNY said it is offering free credit monitoring to 3,000 people whose Social Security numbers may have been compromised.
In an effort to ensure something like this doesn’t happen again, the FDNY retrained employees with high-level access to patient information about rules put in place by the Health Insurance Portability and Accountability Act. FDNY personnel must follow those rules or be subject to sanctions, according to the letter.
City Councilman Joe Borelli (R-South Shore), who is chair of the council’s Committee on Fire and Emergency Management, issued a statement saying that he has had multiple conversations with the office of FDNY Commissioner Daniel Nigro about the lost hard drive, and applauded the department’s transparency on the issue.
“Though the department has been transparent and proactive, my committee will still demand a full accounting as to the practices, protocols and errors that lead to this breach,” he said.
The department is following HIPAA guidelines in notifying all persons whose information may have been compromised.
Patients can call toll-free (877) 213-1732 between the hours of 9 a.m. and 9 p.m. if they have any questions about the breach or if they think their personal information was included in this breach, according to the media release.
©2019 Staten Island Advance, N.Y.