Northwestern, N.J.-based Chilton Medical Center, an affiliate of Morristown, N.J-based Atlantic Health System, began notifying a subset of patients that visited its facility between May 2008 and Oct. 15, 2017, their protected health information had been compromised.
On Oct. 31, the hospital learned an employee removed a computer hard drive from the hospital, in violation of its policy. That employee, who no longer works at Chilton, sold the hard drive on the internet earlier that month.
Chilton launched an investigation into the incident, which determined the hard drive contained patient information that may have included patients' names, dates of birth, addresses, medical record numbers, allergies, and medications the patient may have received at the hospital. However, no Social Security numbers, financial information or medical records were affected.
The investigation also revealed the former employee removed other devices and assets from Chilton to sell on the internet. While hospital officials do not believe these devices or assets contain patient information, they will continue to investigate the incident and, if it is determined additional patients were affected, will notify them as appropriate.
"While we have policies in place to protect patient information, we have, since this incident, enhanced our processes and controls to help prevent something like this from happening again," reads a notice on the organization's website.
Becker's Hospital Review has reached out to Chilton Medical Center for comment. This story will be updated as more information becomes available.
More articles on cybersecurity:
Representative introduces legislation to allow EHR clearinghouses work directly with patients
AMIA, Pew to Congress: Secure funding for the EHR reporting program