In looking at the most recent update to HHS’s web site, I noted three other breaches that we did not know about already from other sources:
The Kent Center
The Kent Center in Rhode Island reported that paper records of 1,361 patients were stolen in July. In a notification linked from the homepage of their web site, they write, in part:
On July 13, 2010, a briefcase was stolen from the car of one of our clinicians. Documents in the briefcase included client names, dates of birth, and for some clients involved in the court system, limited clinical information. This did not affect all of the clients we have ever treated and the individuals it did affect have been sent written notifications. We learned about this incident the same day and it has been reported to the Providence Police Department. The briefcase resembled a laptop carrying case and we have no reason to believe the documents in the briefcase were the target of the theft. Other items in the car were stolen and the police informed our employee that there were several car break-ins on the same night in the area.
No financial information, such as social security numbers, addresses, insurance information, guarantor information, credit or debit card information or bank account numbers were included in the documents contained in the briefcase.
The employee involved received a reprimand.
Curtis R. Bryan, MD
Virginia psychiatrist Curtis R. Bryan, MD reported that a stolen laptop contained PHI on 2,739 patients. The laptop was stolen July 12. A notice prominently placed on the home page of his website states, in part:
A potential breach of unsecured patient personal health information (“PHI”) may have occurred when a computer possibly containing patient PHI was stolen from my private office at Kingsborough Square during a burglary that took place on July 12, 2010. The stolen files may have contained information from my private patients as well as patients I have seen in other locations to include Chesapeake, Norfolk, Portsmouth and Virginia Beach. This data may have included names, dates of birth, other personal identifying data, and/or diagnoses and/or treatment information depending on the location where the services were provided and what type of services were provided To the best of our knowledge, no phone numbers or personal financial information were located or identified in any of these stolen files.
The laptop was stolen from the office:
Though the office was secured by four locks requiring three different keys to gain entrance and the window was locked, the window was not sufficiently fortified to withstand blunt force. To protect against the recurrence of this burglary technique, we have upgraded our security system in direct response to this event to include motion and heat sensors. Although this security upgrade should help us better protect your personal health information, we are taking additional steps to further reduce the likelihood of a future unauthorized disclosure of your PHI.
We have upgraded the password features of our computers. In addition, we are transferring all patient data to encrypted flash drives at the end of each day. These flash drives are Iron Key flash drives that require passwords. This type of flash drive destroys the data on the drive and renders it useless if the user fails to guess the correct password by the eighth attempt. Since we cannot render the office completely safe from this burglary technique due to the extremely brief amount of time required to conduct such a burglary, we are minimizing the ability of an unauthorized third party to access your PHI in the event of future computer theft through encryption and password protection.
Pediatric and Adult Allergy, PC
The Iowa-based center reported that 19,222 patients had PHI on a backup tape that was discovered missing on July 11. A series of FAQs are linked from a prominent place on the center’s website homepage. Any patient who had an account created before July 10, 2010 is affected. Notifications were sent to patients of the following doctors:
Dr. George Caudill (retired), Dr. Veljko Zivkovich (retired), Dr. Robert Colman, Dr. Whitney Molis.
According to the FAQs, the backup tape does not include the following patient information:
- Medical records (the office uses paper charts — not electronic medical records)
- Credit card information
- Bank account information (account number, routing number)
The backup tape includes patient account information, which may include some or all of the following data:
- Name
- Address
- Phone number
- Date of birth
- Social Security number
- Patient billing record number
- Insurance plan information
- Dates of service
- Insurance claim information (services and diagnoses)