Unencrypted CD with patient data gets lost in the mail

The Jersey City Medical Center this month is sending letters to affected individuals about a United Parcel Service breach involving their personal information that happened two months ago.

The center had been in the process of mailing patient data required by Medicaid for a review of payments to New Jersey hospitals. The center sent the requisite CD in a package on June 13 and it was scheduled to arrive on June 16. The hospital learned it did not arrive on time and on June 22 was informed it could not be found.

The CD stored -- in plain text -- patient names, Social Security numbers, and for some patients, dates of birth, medical record numbers, gender, and information on visits to center in 2011. The patient visit data included admission and discharge dates, inpatient or outpatient status, number of days care was received, dollar amount of center charges incurred for care, name of health insurance payor(s), amounts paid by patient or insurers, and/or general type of claim and/or revenue code.

The notification letter states, “The CD did not include your address, any other personal contact information or specific medical information.”