Personal and health information for about 315,000 patients is missing, Emory Healthcare announced Wednesday. The hospital system has been unable to find 10 computer discs containing the data.
The missing discs held information on all patients who had surgery at Emory University Hospital, Emory University Hospital Midtown and The Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007. The discs contained protected health information, including patient names, along with the diagnosis, the name of the surgical procedure and the surgeon. Approximately 228,000 of the patient records also included Social Security numbers.
"We sincerely regret that this incident has occurred and we want to assure our patients that we are committed to safeguarding their personal information," John T. Fox, president and CEO of Emory Healthcare, said at a press conference.
Emory has no evidence that any information contained on the discs has been misused. Emory is sending letters to affected patients and offering them free identity protection and credit monitoring services. An investigation is ongoing to try to determine what happened to the discs. It's not certain that the information was stolen, Fox said. It could simply have been misplaced. The discs were removed sometime between February 7 and February 20, the investigation has determined.
Fox acknowledged that the discs were not stored according to protocol. The discs were in a cabinet located in an office, he said. While the office was locked at night and access to the hallway was restricted, the cabinet itself was not locked. The discs contained data files from an obsolete software system that Emory stopped using in 2007.
Fox said that Emory has "strong policies" in place to safeguard personal information. "The employee misinterpreted our policy," Fox said. "But the employee did the right thing -- as soon as they noticed they were missing the employee came forward ... Our view of that the employee made an honest mistake."
The information on the discs was not encrypted because it was associated with such an outdated system, Fox said. Encryption would have made viewing the data more difficult. But Fox said the information on the discs could not be easily viewed without the software needed to read it, which was not on the discs.
Fox said Emory's investigation includes an initiative to clarify policies and procedures for safeguarding information. Emory is also conducting a comprehensive inventory of all spaces where data is stored to make sure information is properly secured. Fox said he had had surgery at Emory during the time-frame involved and his records were among those on the discs.
Judy Hammett, a resident of DeKalb County, said she had surgery at Emory University Hospital during the 17-year-period covered by the back-up discs. She said the possible misuse of such information is worrisome. "I just feel like they are so careful with everything else, there has to be a way to lock those up so people cannot steal the records."
Liz Coyle, a spokesperson for Georgia Watch, a statewide consumer organization, said that consumers place their trust in institutions when they hand over their personal information.
"In a case where you have provided your personal information so that you can get needed health care, we would expect -- and I think patients in Georgia have the right to expect -- that the organization would go to the greatest lengths possible to protect the personal information," Coyle said.
Emory has never experienced any problems with missing or lost data on this scale. However, last year, hospital bills of 32 patients at Emory's orthopedic clinic were taken and personal information was used to file fraudulent tax returns in nine patients names.
Emory's current system stores medical records on a secure server which offers the most updated protections against any misuse of medical records, Emory said. Electronic medical records offer a host of clinical benefits, experts say.
Information compiled on outdated computer systems can be more challenging to protect than personal data collected today, said Kevin Coy, an attorney in the Washington office of the Arnall Golden Gregory law firm who focus includes privacy law and data breaches.
He said similar problems have occurred nationally when back-up tapes have been lost or compromised after being sent to off-site storage locations or even being lost in transit. "If the media hasn't been encrypted it's possible if someone gets ahold of them that someone could misuse the information that is on there -- including the Social Security numbers," he said.
He said many companies with cases of missing data often offer credit monitoring to try to protect consumers from wrongdoing.
Emory has set up a toll-free hotline (1-855-205-6950) to provide information to patients about the missing data. More information is also available at www.emoryhealthcare.org/protection.
About the Author
