New York’s Lincoln Medical and Mental Health Center is notifying patients that their personal information may have been compromised after seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit.

The CDs were sent by the hospital’s billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver’s license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

The breach affects 130,495 patients, according to a notification posted by the U.S. Department of Health and Human Services.

“FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed,” the hospital said in a letter sent to victims, dated June 4.

The CD was password-protected but unencrypted, the letter states.

Companies have begun taking better care of their customers’ data in recent years, as they’ve had to foot multimillion-dollar bills following similar incidents. According to the Ponemon Institute, a security research firm, the average U.S. data breach costs companies more than US$200 per record.

Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

 (Source: Business Week)