The personal information and confidential medical records of patients at three Emory University hospitals is missing, putting as many as 315,000 former surgical patients at risk of identity theft, the Atlanta health care center admitted.
The 10 backup discs on which the information was stored were found missing from a storage location at Emory University Hospital, according to an Emory Healthcare warning sent this week to affected patients. The discs contained approximately 228,000 Social Security numbers as well as the names, addresses and dates of birth of patients treated between September 1990 and April 2007 at Emory University Hospital, Emory University Hospital Midtown and The Emory Clinic Ambulatory Surgery Center.
Also stored on the discs were patients' surgery dates and procedures, device implant information, surgeon and anesthesiologist names and other protected health information.
[How You're Putting Your Company at Risk for a Data Breach]
"We sincerely regret this situation and any inconvenience this may cause our patients," Emory Healthcare President and CEO Josh T. Fox and Chief Privacy Officer Anne Adams wrote in the advisory. Emory Healthcare has put in place new protective security measures and is offering affected patients a free year of credit monitoring.
Emory said the 10 backup discs were discovered missing on Feb. 20. The data was taken from a software system deactivated in 2007 and, until 2010, only infrequently accessed. In its advisory, Emory Healthcare made clear "there is no indication that this information has been or will be misused," and that the data breach incident "was not a breach or 'hacking' of our computer systems."