Metropolitan Hospital Center Data Breach (2015)

The New York City Health and Hospitals Corporation (HHC), which operates the Metropolitan Hospital Center (Metro- politan), values the importance of protecting the confidentiality of our patients' medical records. Therefore, we regret to inform you of an incident that resulted in the possible unauthorized disclosure of your protected health information (PHI), including such information as your name, medical record number, medical diagnosis, physician's name, and limited sensitive medical information. Although we have no evidence that your PHI was inappropriately used, we are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to inform you of this incident in writing. We also want to assist you by providing you with the steps that you can take to protect yourself from any harm that may result from this incident. DESCRIPTION OF INCIDENT: By way of background, HHC has implemented an information governance and security program that, among other things, monitors and detects all email communications that contain PHI and other confidential information that are sent outside of HHC's information systems without proper authorization. The incident in question, which occurred on January 15, 2015, was discovered on March 31, 2015 when, in the course of HHC's monitoring of outgoing emails, we identified an email that contained PHI, including yours, which a Metropolitan employee improperly sent from his HHC email account to his personal email account. While there is no indication that the employee improperly used the information contained in the email, its transmission was unauthorized and certainly not condoned by Metropolitan. Therefore, in an abundance of caution, we are notifying you of this incident and advising you of the actions that we have taken and the ones that we recommend you consider taking to protect yourself from any possible adverse effects that could arise as a result of this incident. WHAT WE HAVE DONE IN RESPONSE TO THE BREACH: Metropolitan has promptly taken a number of steps in response to this incident. First, we interviewed the responsible Metropolitan employee and examined his HHC email account to ensure that we identified all the sites to which the email and spreadsheets were sent. We also reviewed the employee's personal email account, and were present to ensure that the employee deleted the email and spreadsheets from his personal email account. Second, to help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide identity theft protection at no cost to you for one year. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data.