New Jersey-based Chilton Medical Center is warning patients their personal information may have been compromised after a former employee sold a stolen hard drive on the internet.
The hospital, which is part of the not-for-profit Atlantic Health System, reported the breach to the Department of Health and Human Services, indicating that the incident impacted 4,600 people.
On October 31, Chilton Medical Center discovered an employee sold a hard drive removed from a hospital computer, according to a statement posted on its website. The hard drive contained names, addresses and medical record numbers and medications, but the hospital stressed no financial information or medical records were affected.
The hard drive contained information for certain patients that received care between 2008 and 2017, and the employee may have stolen hard drives from other computers.
“During our investigation, we determined that the former employee removed other devices and assets from Chilton Medical Center to sell on the internet in violation of policy,” the statement read. “While we currently have no indication that any of these devices or assets contain patient information, we continue to investigate this incident and, if we determine additional patients are affected, we will notify them as appropriate.”
Insiders have played a major role in data breaches throughout 2017, accounting for 41% of incidents midway through the year. Earlier this year, healthcare executives ranked employee awareness and culture as their No. 1 cybersecurity concern.
Insiders accounted for nearly one-third of data breaches in November, according to a Protenus Breach Barometer report released on Thursday, even as the number of breaches dipped compared to previous months. Nearly 84,000 records were implicated in November, the lowest number of breached records all year.
Meanwhile, a public domain for the health IT company Medhost was compromised this week, redirecting visitors to a site that claimed patient data would be sold if the company did not meet the hackers’ demands.
On Wednesday, the company said it retained full control of its internal systems throughout the incident and that there is no indication that patient information was compromised