Aha. We now have some information on a breach that had been posted to HHS’s breach tool on October 19. At that time, I had blogged:
Sierra Plastic Surgery in Nevada was hacked or had a network compromise between August 19, 2011 and September 20, 2011, but are apparently just reporting it to HHS now – unless HHS mistyped the year of the incident twice. The incident affected 800, and I can’t find any notice on Sierra’s web site or anywhere on the web or in news sources. Nor is it clear whether the web site was hacked, where potential patients enter some personal information, or if their office server was hacked.
Today, however, KTVN reports:
Sierra Plastic Surgery, LLC says it has been informed of a possible data breach of its electronic records.
Sierra Plastic Surgery, LLC says the breach happened between August 11, 2011 and September 23, 2011. A terminated employee apparently had access to the network after leaving the company.
The plastic surgery center says that employee may have viewed or printed copies of surgery estimates that included names and birthdates and in rare cases, the employee also accessed the names of insurers, prescriptions, surgery notes and payment balances.
Sierra Plastic Surgery, LLC says in less than 50 instances the former employee accessed sensitive information including social security numbers, personal contact and payment information.
[…]
A statement is now posted on Sierra’s web site, linked from the home page. It’s not a prominent link, and is right under social media icons, so you may have to really be looking for it to notice it, but the undated notice says:
This legal notice is being posted in compliance with HIPAA laws, in relation to Sierra Plastic Surgery, LLC, 9436A Double R Blvd. Reno, NV, 89521 (“Sierra”) and its patients.
In August 2012, Sierra was informed of a potential data breach of its electronic records. The data breach occurred between August 11, 2011 – September 23, 2011 by a former employee seeking information on compensation owed.
The employee’s post-employment network access was not fully discovered until August 2012. The terminated employee may have viewed or printed a copy of patients surgery estimates, which included a name and birthdate. In rare instances the employee also accessed the name of an insurer, a prescription, surgery notes, a payment balance, and in approximately 25 instances sensitive payment information including a SSN#, payment information, or personal contact information was accessed.
Sierra contacted the former employee, as well as her attorney, explained the situation, and has verified under penalty of perjury that she has returned all records. Not all patients were affected.
Sierra is sending individual letters to all individuals whose data was breached based on their last known address. If you were ever a patient of Sierra Plastic Surgery, and have any questions or concerns about your data you may contact our hotline at (866) 979-2596.
Sierra has conducted a review of its data storage access and is assured that the data breach will not happen again in the future. Sierra has also reported the matter to local and federal authorities who will conduct a further review if necessary.
Their notice raises as many questions as it answers:
1. They say they were informed of the breach. Who informed them and how was the breach discovered?
2. Why wasn’t the employee’s access terminated when she terminated employment?
3. If they notified HHS that 800 patients were affected, why does this report say less than 50? Is the latter number the result of additional forensic investigation of their system or is it based on the former employee’s statements to them?
4. Why didn’t the practice detect the access to their system over a year ago? Were they auditing logs?
5. If the employee’s motivation in accessing patient records after she terminated was to determine compensation owed, why was she viewing patient records?
6. Why the delay in notification to patients?
7. Was this matter ever referred to law enforcement?