FDNY EMS Notifies More Than 10,000 Patients of Possible Data Breach


FDNY EMS Notifies More Than 10,000 Patients of Possible Data Breach (Aug 9, 2019)

The New York City Fire Department has notified over 10,000 people previously treated or transported by its ambulance services that their personal information may have been compromised. According to FDNY, an employee uploaded the information onto their personal hard drive, which was later reported as missing in March 2019. A total of 10,253 patients, 235 of whom are minors, were notified by mail of the possible breach, with all of them having been treated and or transported by EMS between 2011 and 2018. In the notices, the FDNY says the missing hard drive contained names and health information related to the reason for the ambulance call, as well as associated addresses, dates of birth, gender information, insurance information, telephone numbers, and in approximately 3,000 cases, social security numbers. While there is currently no evidence that any of the information stored on the personal device has been accessed, the FDNY is treating the incident as if the information may have been seen by an unauthorized person.

Recommendation: Data breaches can lead to the affected individuals being at a large risk of phishing attacks. Actors can use this information to coerce more personal data from the victim. Security protocols should be reviewed to ensure sensitive data is being handled correctly, and that only those necessary have access to it.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.