This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The New York City Health and Hospitals Corporation’s North Bronx Healthcare Network (“HHC”) has recently become perhaps the largest marcher in the parade of PHI security breaches with a reported 1,700,000 persons affected. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that HHC had a PHI security breach on December 23, 2010 (the “Breach”). Of the 242 records currently reported on the HHS List, the Breach is by far the largest with 1,700,000 affected individuals. The Breach apparently resulted from a “Theft” of “Electronic Medical Record, Other.” 


Unlike some other participants in the parade of PHI security breaches that have been reported in this blog series, it is refreshing to see that HHC has tried to be forthright in its communication on the HHC Website. The information regarding the occurrence may be found in a number of ways, including a search for "PHI security breach" directly from the HHC Home Page or by clicking on "Publications and Reports" from the HHC Home Page and then clicking on "Press Releases" where the relevant Press Release dated February 11, 2011, is the only listing to date for 2011 (the “Press Release”).


The HHC breach can become a financially costly one for HHC, as it potentially affected information covering twenty years relative to (i) personal information such as social security numbers, names, addresses, and other information that may be used to identify individuals; (ii) personal information and patients’ medical histories; and (iii) personal information and employees’ health information. The Press Release states the following: “The loss of this data occurred through the negligence of a contracted firm [identified in the Press Release as GRM Information Management Services ("GRM")] that specializes in the secure transport and storage of sensitive data. There is no evidence to indicate that the information has been inappropriately accessed or misused.”  The Press Release also reported that HHC is making available free credit monitoring and fraud resolution services for one year to those affected individuals who request it.


The Press Release states that the information was stolen when "the GRM van was left unattended and unlocked while the driver made other pickups.  GRM reported the incident to the police and dismissed the driver of the vehicle.  To date, the files have not been recovered."  Therefore, it can be reasonably inferred from the Press Release that at least a portion of the financial burden for HHC from the Breach will be shared by GRM.  GRM may even have some type of liability insurance coverage that will pay for some of the expenses flowing from the Breach. 


In this regard, my partner Elizabeth Litten, Esq., had previously discussed in a blog entry in this series the need for healthcare providers and business associates to investigate the possibility of obtaining insurance covering potential losses arising out of large PHI security breaches. The case of HHC may encourage greater attention to this area.


The prominent posting of the Breach on the HHC website demonstrates that HHC has made a commitment to act responsibly and do more than what is (again borrowing a phrase from HITECH in a totally different context) “the minimum necessary” for communicating a large PHI security breach. This should accelerate the rehabilitation of confidence and relations with patients, employees and HHC’s larger constituency.