Bellevue Hospital Center in New York, operated by New York City Health and Hospitals Corp., has notified approximately 3,300 patients that their protected health information has been compromised after a hospital employee sent an email attachment containing PHI to a relative's email account.
This is the second breach reported by New York City HHC in which an employee transmitted PHI through email, though the two incidents are unrelated.
According to the patient notification letter, an employee emailed a spreadsheet Jan 15, 2015 to a relative's email account at the relative's place of employment. The employee said she sent the spreadsheet to her relative for technical help in manipulating spreadsheet data for work purposes. The employee also said she did not send the spreadsheet to any other unauthorized recipient, which was confirmed by Bellevue's forensic review.
Compromised information includes names, medical record number, telephone number, email address, name of insurance carrier and "limited sensitive information," according to the notification.
"Regardless of the employee's motivation for sending the email and attachment, the transmission of this information to an unauthorized recipient was certainly improper and is not condoned by Bellevue," reads the breach notification.
New York City HHC learned of the breach Feb. 27, 2015 through an information governance and security program that monitors and detects any email communications containing PHI that are sent outside the system's network without proper authorization.
The health system has no indication the PHI was improperly used.
More articles on data breaches:
Cyberattack exposes data of 1.1M CareFirst BCBS members: 6 things to know
Consumer perceptions of Anthem slightly shift downward following data breach
CareFirst falls victim to cyberattack: Industry experts respond