The Outer Banks Hospital in Nags Head, N.C., is notifying patients of a potential data breach after two flash drives containing patient information went missing.
According to a notice to patients, the hospital recently acquired certain assets of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular. When moving those assets to The Outer Banks Hospital on June 20 and 21, hospital officials realized the flash drives were missing.
The flash drives may have contained personal information of current and former patients who received treatment at the rehabilitation program from 2004 to June 2016. Such information includes Social Security numbers, emergency contact numbers, mental health information, insurance ID number, diagnosis, health history information, patient account number, medical record number, referring physician name and demographic information.
The Outer Banks Hospital has no indication any information has been misused.
"This is not consistent with our privacy practices, and we are truly sorry that it occurred," said Ronnie Sloan, president of The Outer Banks Hospital, in the notice. "Be assured that we do have policies and procedures in place to allow for appropriate action in response to the inappropriate use, access or disclosure of our patients' medical information, and that we have taken steps to address this matter."
The hospital has not indicated how many individuals are affected by this incident, nor has it been posted to HHS' Office for Civil Rights breach notification portal.
More articles on data breaches:
Will understanding hackers' incentives reduce the threat of breaches?
From the Hippocratic Oath to HIPAA: A history of patient privacy
Why one security expert gives Banner Health's handling of its breach a 'C-minus'