Lost backup discs at Emory Healthcare affects 315K
Emory Healthcare in Atlanta has determined that 10 backup discs containing information on surgical patients treated between September 1990 and April 2007 are missing from a storage location at Emory University Hospital.
There was no actual or attempted breach of the proivder’s EMR system. The discs contained certain protected health information, including patient names, dates of surgery, diagnoses, procedure codes or the name of the surgical procedures, device implant information, surgeon names and anesthesiologist names.
The information contained on the discs is related to approximately 315,000 surgical patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and The Emory Clinic Ambulatory Surgery Center. The information did not relate to patients at other Emory Healthcare facilities or to patients treated after April 2007.
“The investigation has determined that the discs were removed sometime between Feb. 7 and Feb. 20,” the provider stated. “They contained data files from an obsolete software system that was deactivated in 2007. This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. The last time data were accessed was in 2010.”
Approximately 228,000 of the patients’ records included Social Security numbers and 87,000 records did not.
All affected patients, at Emory's cost, will be provided access to identity protection services, including credit monitoring, through Kroll.
There was no actual or attempted breach of the proivder’s EMR system. The discs contained certain protected health information, including patient names, dates of surgery, diagnoses, procedure codes or the name of the surgical procedures, device implant information, surgeon names and anesthesiologist names.
The information contained on the discs is related to approximately 315,000 surgical patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and The Emory Clinic Ambulatory Surgery Center. The information did not relate to patients at other Emory Healthcare facilities or to patients treated after April 2007.
“The investigation has determined that the discs were removed sometime between Feb. 7 and Feb. 20,” the provider stated. “They contained data files from an obsolete software system that was deactivated in 2007. This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. The last time data were accessed was in 2010.”
Approximately 228,000 of the patients’ records included Social Security numbers and 87,000 records did not.
All affected patients, at Emory's cost, will be provided access to identity protection services, including credit monitoring, through Kroll.