Columbia University Irving Medical Center (CUIMC) reported a data breach affecting 29,629 individuals to the HHS’ Office for Civil Rights on May 6, 2024. The breach was discovered when NewYork-Presbyterian (NYP) and CUIMC were informed about the exposure of patient data on an Internet-accessible platform. The file was immediately removed, and an investigation revealed that a NYP/CUIMC employee had inadvertently uploaded the file in August 2023 during quality-related data review activities.
The exposed file contained patient lab data, including names, medical record numbers, dates of birth, provider names, and a single laboratory test result for each patient. Although the lab results did not reveal diagnostic information, the forensic investigation found evidence that the file had been accessed by unknown, unauthorized parties between September 11, 2023, and March 7, 2024. This unauthorized access raised concerns about the potential misuse of the exposed data.
CUIMC emphasized that the nature of the exposed data does not put affected individuals at risk of identity theft. However, they advised affected patients to monitor their health plan statements for any irregularities. Notifications have been sent to all impacted individuals, ensuring they are aware of the breach and can take necessary precautions.
In response to the breach, NYP/CUIMC is evaluating further security enhancements and continues to educate their workforce on the correct handling of patient data. This incident highlights the ongoing need for stringent data security measures and vigilance in safeguarding sensitive patient information within healthcare institutions.
Reference: