New York City Lincoln Hospital has suspended sending CDs via courier after a package containing seven containing detailed patient data was lost en route from its bill processing supplier Siemens Medical Solutions to the hospital.
Siemens notified the hospital in early April that the package had gone missing some time between 16 and 24 March. Siemens said it was attempting to locate the CDs, which had been sent via FedEx and was lost while in its possession.
By June, the hospital was forced under data breach disclosure laws to notify over 130,000 patients that "regrettably, the CDs have not yet been recovered".
The US Department of Health and Human Services´ (HHS) public record of data breaches revealed that 130,495 patients were lost. It was the second largest loss this year on the HHS list.
The CDs contained detailed medical data including health plan information, diagnostic descriptions, dates of admission and discharge and home addresses of patients, as well as home addresses and social security numbers.
The hospital confirmed that the CDs were neither password protected nor encrypted. FedEx had told the hospital that the CDs were likely "swept up and destroyed" at one of its facilities after becoming separated from their shipping envelope.
The Australian Law Reform Commission released its report on the local application of data breach disclosure laws in 2008, recommending a watered down version of those implemented in the US.
Australia's Federal Government has yet to draft a bill for its introduction.