University of Rochester Medical Center Acknowledges Security Breach


New York's University of Rochester Medical Center (URMC) today announced that it has sent letters to 537 former orthopaedic patients informing them that a resident physician had misplaced an unencrypted USB drive containing their protected health information. The drive is believed to have been lost at a URMC outpatient orthopaedic facility (h/t

The data on the drive included the patients' names, genders, ages, birthdates, weights, phone numbers, medical record numbers, physician's names, dates of service, diagnoses, diagnostic studies, procedures, and complications, if any.

The medical center says no Social Security numbers, mailing addresses, or insurance information were included.

"After an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry," URMC said in a statement. "A search of the laundry service, which works exclusively with hospital/medical facilities, also failed to locate the drive."

The medical center says it's "re-educating" faculty and staff on its policy requiring the use of encrypted drives for storage of protected health information, and is encouraging its employees to access patient information on its secure network rather than on portable drives.