The disks contained patient names, diagnosis, name of surgical procedure, and the surgeon, and most contained patient social security numbers as well, Emory said in a statement.
The patients were treated at Emory University Hospital, Emory University Hospital Midtown, and the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007.
Emory Healthcare’s investigation has determined that the disks were removed sometime between Feb. 7 and 20, 2012. They contained data files from an obsolete software system that was deactivated in 2007; the deactivated system was accessed very infrequently and only as requested by either patients or their physicians, Emory explained.
"While we have no evidence at this time that any personal information has been misused as a result of this incident, we want to take all precautions to ensure our patients' information is safe. We are moving forward expeditiously with providing all affected patients, at our cost, access to identity protection services, including credit monitoring", said John T. Fox, president and chief executive officer of Emory Healthcare.