An FDNY employee may have compromised the personal information of over 10,000 people

Good news, everyone!

If you live in New York City and your personal information wasn’t already compromised by the recent, massive hack of Capital One’s customer database, there’s still an excellent chance that at least some of the sensitive information in your life has its ass hanging out for the world to see, courtesy of the Fire Department of New York.

From Gizmodo:

An estimated 10,253 people who used the FDNY’s Emergency Medical Services between 2011 to 2018 had their data exfiltrated well over a year ago, when an “employee, who was authorized to access the records, had uploaded the information onto the personal external device,” which went missing sometime thereafter, according to a statement by FDNY.

A personal hard drive! That’s been missing! For a year! I’m sure it’s fine! The FDNY would love it if you believed this to be true. To make sure that those possibly compromised in the breach, they sent out a letter, via snail mail (I mean, you obviously can’t trust computers), talking the those who received medical care from the Fire Department during the aforementioned, seven-year period:

What happened:
On March 4, 2019, the New York City Fire Department (“FDNY”) was notified that an FDNY employee’s personal portable hard drive was reported missing from an FDNY facility. This hard drive is a portable electronic data storage device that can be attached to a computer. It belonged to an employee authorized to access FDNY patient information and contained confidential personal information about patients who had been treated and/or transported by an FDNY ambulance.

FDNY immediately initiated an expansive investigation which took several months to determine whether any patient data was involved, and then to also identify each and every patient whose PHI was involved. Now that the investigation is complete, FDNY is contacting all individuals whose PHI was contained on the missing hard drive.During the investigation, it was determined that the missing hard drive was unencrypted, which might allow the information it contained to be accessed by an unauthorized individual. There is no indication that information stored on the device has been accessed, but FDNY has chosen to err on the side of caution and treat this incident as though the information may have been seen by an unauthorized individual or individuals. That is the reason that you are receiving this Notice.

What information was involved:
The FDNY operates emergency ambulances in the New York City 911 System. A patient care report is created by the FDNY for each emergency call to which an ambulance responds. The patient care report contains personal information about the patient that may include name, address, gender, telephone number, date of birth, insurance information number as well as health information related to the reason for the ambulance call. Our records indicate that you were treated and/or transported by the FDNY. Your personal information may have been included on the patient care report for that call.

What we are doing:
In light of this incident, FDNY has retrained employees with high level access to PHI about FDNY Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Polices that all FDNY personnel must follow or be subject to sanctions. The loss of the external drive was also reported to the New York City Police Department and internally to the New York City Fire Department Fire Marshals and investigated.

If you’re concerned that your information may have been included in the breach or just want to give the FDNY a hard time over this stupid, and let’s face it, very likely preventable data loss, indulge yourself by giving them a call at 877-213-1732.

Image via Wikipedia Commons