Bellevue Hospital Center operator New York City Health and Hospitals Corporation (HHC) is notifying roughly 3,300 patients that their personal information was included in a spreadsheet that was improperly emailed to an unauthorized recipient.
How many victims? About 3,300.
What type of personal information? Names, telephone numbers, medical record numbers, email addresses, insurance carrier information and limited sensitive health information.
What happened? A Bellevue employee improperly emailed a spreadsheet containing the personal information to an unauthorized recipient, who was her relative.
What was the response? The Bellevue employee and her relative were interviewed, and it was confirmed that the spreadsheet was not sent to any other individuals and was deleted by the relative. Additional training is being planned for staff, and an automatic blocking system is being implemented to prevent email communications containing personal and other confidential information from being sent from HHC's systems to outside systems, unless for legitimate purposes. The employee is facing disciplinary action. All potentially impacted individuals are being notified.
Details: The email was sent on Jan. 15 and the incident was discovered on Feb. 27. The employee indicated that she sent the spreadsheet to the relative for technical assistance in manipulating the spreadsheet data for work purposes.
Quote: “There is no evidence to suggest that the spreadsheet was received or viewed by anyone other than the single unauthorized recipient, and there is no evidence to suggest that the PHI contained in the spreadsheet was misused or further disclosed in any manner,” according to a notification posted to the website.
Source: nyc.gov, “Notification of Possible Personal Health Information Disclosure,” April 28, 2015; nyc.gov, “Notification Regarding Your Personal Health Information,” April 28, 2015.