Thanks to Adam Shostack, I realized that although HHS provides two formats for their breach report database, the two databases do not necessarily contain the same number of breach reports on any given day. While he was analyzing data based on the .xml version containing 181 breach reports, I had been using the .csv version, which only reflected 166 breaches. On further inspection, it appears that the .csv file hasn’t been updated as recently as the .xml file.
So here are the 15 entries not included in the .csv file that I had been relying upon in my statistical analyses. For the convenience of those compiling breaches for their databases, entries that appear with an asterisk have never been reported on this blog before or in any media source I’ve seen, although you may not be able to add some of them to your sites in the absence of additional information as to what kinds of information or data were involved. Entries below are arranged in ascending order based on number of patients reportedly affected:
* Lorenzo Brown, MD, Inc.
State: CA
Date of Incident: 8/17/2010
Type of Incident: Theft
Location of Data: Desktop Computer
Date Reported: 10/7/2010
Number of Patients Affected: 928
Note: as of today’s date, there is no notice on his web site.
* St. James Hospital and Health Centers
State: IL
Date of Incident: 8/10/2010
Type of Incident: Improper Disposal
Location of Data: Paper Records
Date Reported: 10/1/2010
Number of Patients Affected: 967
Note: as of today’s date, there is no notice on their web site.
St. Vincent Hospital and Health Care Center, Inc.
State: IN
Date of Incident: 7/25/2010
Type of Incident: Theft
Location of Data: Laptop
Date Reported: 10/1/2010
Number of Patients Affected: 1199
Note: they had posted a notice on their web site on Sept. 30, prominently linked from their home page.
* Matthew H. Conrad, MD, PA
State: KS
Date of Incident: 8/20/2010
Type of Incident: Theft
Location of Data: Laptop, Paper Records
Date Reported: 10/1/2010
Number of Patients Affected: 1200
Note: as of today’s date, there is no notice on his web site.
* UnitedHealth Group
Business Associate: CareCore National
State: MN
Date of Incident: 7/8/2010
Type of Incident: Unauthorized Access
Location of Data: Paper Records
Date Reported: 10/7/2010
Number of Patients Affected: 1270
Note: as of today’s date, there is no notice on either entity’s web site.
* Alliance HealthCare Services, Inc.
Business Associate: Eden Medical Center
Business Associate: Oroville Hospital
State: CA
Date of Incident: 8/5/2010 (Eden)
Date of Incident: 7/31/2010 (Oroville)
Type of Incident: Loss
Location of Data: Portable Electronic Device, Other
Date Reported: 10/7/2010
Number of Patients Affected: 1474 (Eden)
Number of Patients Affected: 1474 (Oroville)
*This was entered as two entries in the database, perhaps double-counting the number of patients. More significantly, I have a question about the CE/BA relationship and am waiting to hear from a hospital spokesperson as to whether Alliance lost the hospital’s data or vice versa. As reported by HHS, the hospitals lost Alliance’s data.
Note: as of today’s date, there is no notice on any of the three entities’ web sites.
State of Alaska, Department of Health and Social Services
Business Associate: Alaskan AIDS Assistance Association
State: AK
Date of Incident: 9/7/2010
Type of Incident: Theft
Location of Data: Portable Electronic Device, Other
Date Reported: 10/1/2010
Number of Patients Affected: 2000
Note: Alaskan AIDS Assistance Association posted a notice on their web site sometime on or after September 23, as it was not their on the 23rd when I last checked their site.
* Wright Patterson Air Force Base
State: OH
Date of Incident: 7/29/2010
Type of Incident: Improper Disposal
Location of Data: Paper Records
Date Reported: 10/7/2010
Number of Patients Affected: 2123
Note: I do not see this incident in the VA’s monthly report to Congress for either July or August. It may appear in a subsequent report. I do not see any notice on their web site at this time.
New York Presbyterian Hospital and Columbia University Medical Center
State: NY
Date of Incident: 7/1/2010
Type of Incident: Hacking/IT Incident
Location of Data: Network Server
Date Reported: 10/1/2010
Number of Patients Affected: 6800
Note: their notice was previously discussed in the blog entry on the breach.
* Counseling and Psychotherapy of Throggs Neck
State: NY
Date of Incident: 9/6/2010
Type of Incident: Theft
Location of Data: Desktop Computer
Date Reported: 10/1/2010
Number of Patients Affected: 9000
Note: I cannot find any web site for them.
Milton Pathology Associates, P.C.
Business Associate: Goldthwait Associates
State: MA
Date of Incident: 7/26/2010
Type of Incident: Improper Disposal
Location of Data: Paper Records
Date Reported: 10/5/2010
Number of Patients Affected: 11,000
Note:I cannot find any web site for this practice.
* University of Oklahoma-Tulsa, Neurology Clinic
State: OK
Date of Incident: 7/25/2010
Type of Incident: Hacking/IT Incident
Location of Data: Desktop Computer
Date Reported: 10/1/2010
Number of Patients Affected: 19,264
Note: The clinic posted a notice on October 5, prominently linked from its home page. Although the HHS log reflects a “hacking/IT incident,” the notice makes clear that this was a case of malware:
The University of Oklahoma’s Tulsa Neurology practice recently became aware that one of its clinic computers had been compromised by a virus. The Clinic is notifying individuals whose records were maintained on the computer of the discovery. Patients of Dr. John Cattaneo and of Neurology, LLC, a Tulsa practice where Dr. Cattaneo formerly practiced are being notified this week by letter.
The letters advise the patients that an intensive investigation determined that a virus capable of retrieving data from documents located on the computer had been discovered. Although it is not possible at this time to determine what documents on the computer, if any, were accessed by this virus, in an abundance of caution, the Clinic is notifying those individuals whose information and documents were stored there. Many of these documents included some or all of the following: patient name, telephone number, address, birth date, Social Security Number, medical record and insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports, and service dates. In some records, guarantor information was also included. The virus was detected on or about July 28, and its properties were determined during the investigation.
Milford Regional Medical Center
Business Associate: [Goldthwait Associates] – not noted on HHS, but in all media coverage.
State: MA
Date of Incident: 7/26/2010
Type of Incident: Improper Disposal
Location of Data: Paper Records
Date Reported: 10/1/2010
Number of Patients Reported Affected: 19,750
Note: The hospital’s notice is prominently linked from the home page on their web site.