Massive data breaches have become a sad, numbing reality, where a hack or a compromised server leads to millions of peoples’ private data becoming public or landing in the hands of thieves. Bucking that trend, the Fire Department of New York (FDNY) has begun alerting mailing alters about a relatively small-scale breach caused by, of all things, a missing hard drive.
An estimated 10,253 people who used the FDNY between 2011 to 2018 had their data exfiltrated well over a year ago, when an “employee, who was authorised to access the records, had uploaded the information onto the personal external device,” which went missing sometime thereafter, according to a statement by FDNY.
Yup, no cloak-and-dagger stuff or spectre of nation-state hacking of patient records. Just a guy who put some stuff on a drive and couldn’t tell you where it went.
“Although there is no evidence to date that any of the information stored on the personal device has been accessed,” the agency wrote on its website today, “the FDNY is treating the incident as if the information may have been seen by an unauthorised person.”
In the letter sent to those potentially affected, FDNY Chief Medical Director Glenn Asaeda explained what “personal health information” (PHI) was is believed to have been on the missing hard drive:
The FDNY operates emergency ambulances in the New York City 911 System. A patient care report is created by the FDNY for each emergency call to which an ambulance responds. The patient care report contains personal information about the patient that may include name, address, gender, telephone number, date of birth, insurance information number as well as health information related to the reason for the ambulance call. Our records indicate that you were treated and/or transported by the FDNY. Your personal information may have been included on the patient care report for that call.
Approximately one-third of the affected files had associated Social Security numbers, FDNY said. Those 3000 patients are being offered free credit monitoring, which, you’ll remember, is a service Equifax also tried to hand out to recent victims of its catastrophic 2017 breach.
We’ve reached out to the FDNY for additional details and will update if we hear back.