The data breach affected patients, staff, vendors and contractors at the Jacobi Medical Center, North Central Bronx Hospital, and their two affiliated health centers. The personal information was collected over the past 20 years and included names, addresses, social security numbers, patients’ medical histories, and the occupational/employee health information of staff, vendors, contractors, and others.
HHC stressed that the files are “not readily accessible without highly specialized expertise and data-mining tools, and there is no evidence to indicate that the information has been accessed and misused.” At the same time, HHC admitted that it did not know where the files are.
“The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data, but HHC is taking responsibility for providing information and credit monitoring services to any affected individual who may be worried about the possibility of identity theft”, said HHC President Alan D. Aviles.
The 14-hospital system said it was providing free credit monitoring and fraud resolution services for one year to the nearly 1.7 million people affected. According to the Ponemon Institute, data breaches cost $204 per compromised record. That figure would place the cost of this data breach in the range of $350 million.
To recoup the cost, HHC said it was suing GRM Management Information Services to recover “all of the costs associated with notifying all affected individuals, and to pay for other damages related to the loss of the data.”
HHC said it reported the data breach to state and federal oversight, regulatory, and consumer protection agencies. Agencies notified include the New York State Attorney General, the New York State Office of Cyber Security, the New York State Consumer Protection Board, the U.S. Department of Health and Human Services, and three nationwide consumer reporting agencies.