It seems that in some cases, more details about breaches are being provided on HHS’s breach list in the way of summaries. To update some previously reported breaches (links are to prior PHIprivacy.net coverage of the breaches):
Protected health information was released from the covered entity when an imposter, posing as representatives of the legitimate recycling service used by the covered entity, removed several barrels of purged x-ray films and film jackets. The barrels contained the protected health information of approximately 1,300 individuals. The protected health information involved in the breach included full patient names, patient dates of birth, patient genders, patient clinic medical numbers, internal accession numbers, type of film and site locations, dates and times of image creation, physician or provider names, and internal provider numbers. Following the breach, the covered entity contacted the affected individuals by the breach, offered credit monitoring services to these individuals, investigated the root cause of the breach, and retrained the employee responsible for the breach on verification of identity policies and procedures. Additionally, OCR’s investigation resulted in the covered entity creating a new policy and procedure that specifically addresses the verification of identity of disposal vendors and trained all relevant staff on the new policy.
The business associate mailed a package to the covered entity that was supposed to contain a backup data tape and compact disc (CD) containing protected health information, but the tape and the CD were not in the package. Approximately 2,000 individuals were affected by the breach. Individual demographic, financial and clinical information was included in the protected health information. The covered entity provided written notice and an apology to affected individuals, provided them with details of the incident, described ways for these individuals to protect themselves from identity theft and provided a toll-free telephone number for the individuals to call if they had additional questions. Following the breach, the covered entity continues to backup data on tapes, but it now stores the tapes in a safe deposit box instead of sending them via the mail.
A binder with printed protected health information was stolen from an employee’s vehicle. The covered entity was unable to determine the number of affected individuals, but the stolen binder contained the information of up to 1,272 patients. The protected health information involved in the breach included names, telephone number, detailed notes regarding treatment and possibly the patients’ Social Security numbers. Following the breach, the covered entity sanctioned the employee and developed a new policy requiring the on-call staff to submit information created during the shift to the main office rather than adding it to the binder. Additionally, OCR’s investigation resulted in the covered entity notifying the local media about the breach.
Blue Cross Blue Shield Association:
The business associate experienced an error in its quarterly address update process that resulted in the mailing of protected health information to incorrect addresses. The breach affected approximately 15,000 individuals. The mailing contained demographic information, EOBs, clinical information, and diagnoses. The covered entity acted to mitigate the disclosure by collecting the returned mail and verifying that it had not been delivered. The covered entity also updated its policies and procedures.
A month’s worth of client invoices went missing; evidence shows that the documents were never mailed, but despite a thorough search, the invoices were never located. The invoices contained the protected health information of over 500 individuals. The protected health information involved in the breach included names, dates of birth, and medical testing information. Following the breach, the covered entity notified its clients of the incident, placed notice on its website and in the Chicago Tribune, arranged for a business associate to handle the mailing of invoices in the future, and provided OCR with documentation of these actions.
University of Pittsburgh Student Health Center:
Documents containing protected health information were lost when an employee of the covered entity confiscated and eventually destroyed them. The breach affected approximately 8,000 individuals. The documents contained names and financial information. Following the breach, the covered entity reviewed its policies and procedures for safeguarding the physical security of paper records. The covered entity terminated the employee who violated these policies by stealing the records.
A nurse impermissibly used the protected health information of patients to obtain narcotics from the Tomah Memorial Hospital for her own personal use. Tomah Memorial Hospital reported that approximately 600 patients were affected by the breach. The protected health information involved in the breach included the name and account number of the patient. Tomah Memorial Hospital terminated the nurse. Following the breach, Tomah Memorial Hospital created a monthly audit of Schedule II narcotics by each patient care department, which will match the medication dispense log to the order and bill.