The New York City Fire Department notified more than 10,000 patients who were treated or transported by FDNY emergency medical services that their personal information may have been breached after an employee lost a personal, external hard drive containing their health records.
The employee was authorized to access the medical records, and the device was reported missing March 4. FDNY launched an investigation into the incident and concluded there is no evidence that any of the 10,253 patients' information that was stored on the device has been inappropriately accessed. However, the device was unencrypted, which "might allow the information it contained to be accessed by an unauthorized individual," according to the news release.
Patients who were affected by the breach were either treated or transported by EMS from 2011-18. The department is providing free credit monitoring to 3,000 patients whose Social Security numbers may have been compromised.
"In light of this incident, FDNY has retrained employees with high-level access to [private health information] about FDNY HIPAA Privacy and Security Polices that all FDNY personnel must follow or be subject to sanctions," said Glenn Asaeda, MD, FDNY chief medical director, according to the news release.