Ambucor Health Solutions (“Ambucor”), a remote monitoring service for cardiac devices, discovered that thumb drives recovered from a former Ambucor employee contained the personal information of some of Ambucor’s customer’s patients. The affected patients include some patients of Stony Brook Internists, University Faculty Practice Corporation and Lenox Hill Heart and Vascular Institute.
Investigators determined that the content of the thumb drives did NOT include Social Security numbers, insurance, Medicaid/Medicare or financial information for the patients treated at Stony Brook Internists, University Faculty Practice Corporation and Lenox Hill Heart and Vascular Institute. The information on the thumb drives may have included a patient’s name, date of birth, home address, phone number, medications, race, testing data, identification number, medical device information (such as the manufacturer), diagnosis, Ambucor enrollment number, Ambucor enrollment date, and the name and address of the practice where the patient was seen.
Ambucor determined that the former employee had downloaded information from a company-issued computer to thumb drives shortly before his employment ended. In July 2016, Federal law enforcement authorities provided Ambucor with two thumb drives turned over by the former employee. After completing a detailed review of forensic and other information, Ambucor was able to determine in September 2016 that information on the drives was patient data. On September 24, 2016, Ambucor began notifying its healthcare customers about the incident.
As of this writing, Ambucor has received no indication that any personal data has been misused. However, out of an abundance of caution, Ambucor is offering affected patients one year of identity protection services and, if necessary, related recovery services and $1 million of identity theft insurance at no cost to the patients. Potentially affected patients will receive a personal notification letter with instructions on how to activate the identity protection services.
Ambucor appreciates the importance of protecting the privacy and security of personal information and deeply regrets any inconvenience or concern this incident may cause patients in the respective practices. Ambucor officials are taking steps to prevent this type of incident from occurring again, including a thorough review of, and any applicable updates to, all HIPAA security processes.
For questions or additional details, contact the Ambucor dedicated call center at 866-313-7993.