NYC Hospital Puts 6800 Health Records Online

A New York City hospital has apologized for a security lapse that allowed personal information belonging to as many as 6,800 former patients to be published on the Internet.

New York Presbyterian Hospital/Columbia University Medical Center says the information included names, clinical data and a few social security numbers.

The hospital said in a statement that the data had been inadvertently placed on a server, which was accessible online. The information has now been taken down. –Source

This is a pretty sad indiscretion although it is lacking some important details. I hate that it only says personal information for 6800 former patients. Ok, putting ANY health information on an insecure web server is just dumb, but not all health information is created equal. Plus, wouldn’t it be nice to know what happened to cause this issue so that others could learn from their mistakes?

Plus, was the health information placed on the web server in an accessible location or was it just on the web server? That would be very different things.

Still something’s wrong if they’re putting patient information on an unsecured server. Makes me wonder what the rest of the story really is though.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • “Makes me wonder what the rest of the story really is though.”


    Begs lots of questions when you spend about 10 seconds thinking about this incident. Isn’t 6800 former patients kind of small number compared to the total population of former patients at NYPH/CUMC?

    Am sure the santized press stores are just reporting the news … not the investigative process especially with the potential for lawsuits coming in from a class of potentially 6800 plaintiffs.

    Only thing we know is that the breech happened without any word on whether the breech has resulted in attacks on those individuals through the loss in data.

    Wasn’t that long ago a reporter found medical records from four Boston hospitals at a dump.

    That HIPAA law thing is really working out great!

  • I’ve sent two requests to the email addy they provide to request additional info. No response at all. I agree with you that too much is omitted.

    BUT: if a patient’s relative was able to find the information through a search engine, then it was accessible.

    You know, they never actually say that the exposed info was on their own server. I’ve asked them the HOW of the breach — did the employee have a file-sharing program that resulted in patient data being up on the web somewhere, or what happened? Maybe it was on their own server, but they need to say more about the how this happened.

    Saying that “snippets” were online is small comfort since it was clearly enough for someone to recognize/find a patient.

  • Dissent,
    Let us know if you hear back and what they say. I agree that they wouldn’t have announced it if it wasn’t some data of significance.

Click here to post a comment