November 13, 2013
Memorial Sloan Kettering Cancer Center has learned of a security breach that may have resulted in exposure of protected health information (PHI) of some our patients. We have notified all of the individuals who may have been affected.
Memorial Sloan Kettering immediately began a full investigation upon being informed of the breach on September 23, 2013. The incident involved a physician who copied certain files relating to 2,279 patients from his computer to a portable storage device prior to leaving for a new position at another hospital in July 2011. The device, which was not encrypted or password protected, has been reported missing from the physician’s office where he now works.
We have verified that the files stored on the device did not contain entire medical records, nor did they contain social security numbers or any financial information. However, for most affected patients, they did include patients’ names, medical record numbers, appointment dates, and some clinical information. For some patients, the files also included date of birth, physician name or initials, procedure type, address, and telephone number.
Although the device remains missing, we have no indication at this time that the device or any of this patient information has been accessed, misused, or further disclosed. Memorial Sloan Kettering has obtained written confirmation from both the physician and the hospital where he is now employed that they did not keep any copies of the patient information involved in this incident.
Memorial Sloan Kettering’s policy against storing PHI on local hard drives, local media, or mobile devices has been in place since 2004. It was updated in 2010 to specifically prohibit storing PHI on portable storage devices such as CDs, USB/flash drives, and external hard drives. As part of our ongoing commitment to patient confidentiality, we continue to reinforce our comprehensive privacy and information security policies and practices with our entire workforce.
We deeply regret that any patient information may have been exposed. The privacy of our patients and the confidentiality of their PHI is of critical importance to us, and we will continue to take the steps necessary to prevent this problem from happening again.
For more information about our privacy practices, go to www.mskcc.org/privacy. Patients who were affected by this incident and have additional questions should call 877-866-7249.
For media inquiries, please contact Christine Hickey at firstname.lastname@example.org.