New York City-based NewYork-Presbyterian Hospital said an unauthorized third party gained access to employee laptops, potentially exposing the data of about 12,000 patients.
On Sept. 8, the medical center discovered suspicious activity on one of its servers, blocking possible attempts by an unauthorized user to download information, NewYork-Presbyterian said in the Nov. 11 notice.
While reviewing the incident, NewYork-Presbyterian discovered a hacker had used a cloud-based, remote IT customer support program to access several employee laptops, copying and removing desktop files from some of them.
While the hacker did not access the medical center's patient portal, one of the compromised devices contained the protected health information of certain patients of NewYork-Presbyterian/Queens and NewYork-Presbyterian/Hudson Valley. The data may have included first and last names, addresses, payer authorizations, medical record numbers and examination results.
NewYork-Presbyterian said it has taken steps to prevent this type of incident from happening in the future, including suspending the accounts used for the technical assistance program and terminating the service.