An unknown number of Memorial Sloan-Kettering Cancer Center patients had clinical data and private information, in some cases their Social Security numbers, erroneously leaked onto two medical professional organization’s websites earlier this year, according to the hospital.
After an inquiry by the Long Island Press Wednesday, the world’s oldest and largest cancer center emailed a statement acknowledging that private information embedded behind a PowerPoint presentation landed on the Internet in April.
“As part of our ongoing data security efforts, Memorial Sloan-Kettering Cancer Center recently discovered a data incident that may have resulted in exposure of clinical data and private information on the web pages of two medical professional organizations,” it reads. “We became aware that the creation of graphs for a PowerPoint presentation inadvertently contained embedded information.”
Patients names, phone numbers, addresses and “in some cases” Social Security numbers could have been viewed if the PowerPoint presentation was manipulated, Christine Hickey, the cancer center’s director of communications said.
It was unclear how many patients have been affected by the leak at this time, she added. Letters were sent to patients whose information may have been exposed on the Web.
“We deeply regret that any patient’s information may have been exposed and have notified all patients affected by this,” says the statement. “We do not have any evidence that this information has been misused.”
Memorial Sloan-Kettering’s Internet security team learned of the leak during a routine check by its Internet security team and the exposed information was taken down the next day, explained Hickey.
She added that the data wasn’t visible on the PowerPoint, but if someone was aware of the information behind the graph, the document could’ve been manipulated in a way that the private data would be revealed.
“We’re doing everything we can to ensure that individuals information hasn’t been used inappropriately,” assured Hickey.
The leak was a “mistake” and the person creating the graph had no idea that anything was hidden behind the presentation, she said. No disciplinary measures were taken, noted Hickey, but the staff has been educated to prevent future leaks of private information. A new technical safeguard was also put in place to protect patient information.
“The confidentiality of patients is of critical importance to us and we remain committed to the well-being and safety of our patients and to the security of all protected health information,” reads the statement.