Emory Healthcare notifies individuals regarding missing data

Woodruff Health Sciences Center | April 20, 2012

Emory Healthcare has determined that 10 backup discs containing information on surgical patients treated between September 1990 and April 2007 are missing from a storage location at Emory University Hospital. As soon as it was discovered that the discs were missing, an extensive search and investigation was initiated and is continuing. It is important to note that there was no actual or attempted breach or "hacking in" of Emory's electronic medical records or other systems.  

The information contained on the discs is related to approximately 315,000 surgical patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and The Emory Clinic Ambulatory Surgery Center. The information did not relate to patients at other Emory Healthcare facilities or to patients treated after April 2007.  

All affected patients, at Emory Healthcare's cost, will be provided access to identity protection services, including credit monitoring, through Kroll, Inc., a company specializing in such services.  

Approximately 228,000 of the patient records included Social Security numbers; another approximately 87,000 records did not include Social Security numbers. The discs contained certain protected health information, including the patient names, dates of surgery, diagnoses, procedure codes or the name of the surgical procedures, device implant information, surgeon names and anesthesiologist names.  

"We sincerely regret this incident and want to assure our patients that we are committed to safeguarding their personal information," said John T. Fox, president and CEO of Emory Healthcare. "While we have no evidence at this time that any personal information has been misused as a result of this incident, we want to take all precautions to ensure our patients' information is safe. We are moving forward expeditiously with providing all affected patients, at our cost, access to identity protection services, including credit monitoring."  

The investigation has determined that the discs were removed sometime between February 7, 2012, and February 20, 2012. They contained data files from an obsolete software system that was deactivated in 2007. This deactivated system was accessed very infrequently and only as requested by either patients or their physicians. The last time data were accessed was in 2010.   

Patients are being informed through personal letters mailed to their homes beginning April 17. The letter provides details on what has occurred, actions taken to locate the discs and steps patients can take now to protect themselves against possible identity theft, as well as information on placing a fraud alert on their credit file. Emory Healthcare is recommending that individuals regularly review their credit reports for anything they do not recognize, and to consider using the other services Emory is providing, as specified in the letter. For more information on steps patients can take to avoid potential problems, view Emory Healthcare's "Notice to Our Patients" at www.emoryhealthcare.org/protection.

Emory Healthcare has launched an institution-wide initiative to reinforce and clarify existing policies and procedures for safeguarding the security and privacy of sensitive information. In addition, Emory is conducting a comprehensive inventory of all physical spaces across the system to ensure data are properly secured.  

A toll-free Emory Healthcare Support Center hotline (1-855-205-6950) providing information on the incident has been established to address patient questions and is available 9 a.m. to 6 p.m. (Eastern Daylight Time) or patients may visit www.emoryhealthcare.org/protection