In the process of updating PHIprivacy.net to reflect breaches newly disclosed by the U.S. Dept. of Health and Human Services (HHS), I found reference to a breach for which I was able to find a companion statement.
The University of Oklahoma-Tulsa, Neurology Clinic recently notified HHS of an incident affecting 19,264 patients. According to HHS’s logs, the clinic reported that the incident occurred or was detected on or about July 25. In a statement dated September 24 and posted on their web site on October, the clinic states:
The University of Oklahoma’s Tulsa Neurology practice recently became aware that one of its clinic computers had been compromised by a virus. The Clinic is notifying individuals whose records were maintained on the computer of the discovery. Patients of Dr. John Cattaneo and of Neurology, LLC, a Tulsa practice where Dr. Cattaneo formerly practiced are being notified this week by letter.
The letters advise the patients that an intensive investigation determined that a virus capable of retrieving data from documents located on the computer had been discovered. Although it is not possible at this time to determine what documents on the computer, if any, were accessed by this virus, in an abundance of caution, the Clinic is notifying those individuals whose information and documents were stored there. Many of these documents included some or all of the following: patient name, telephone number, address, birth date, Social Security Number, medical record and insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports, and service dates. In some records, guarantor information was also included. The virus was detected on or about July 28, and its properties were determined during the investigation.
This incident serves as a useful example of why HHS’s summary logs are not really that helpful to those who track and analyze data breaches. Their logs note the incident as a “hacking/IT incident” and their logs do not indicate the kinds of information involved in any particular breach. Hence, many of the incidents reported on their site might involve SSN, Medicare numbers, or financial info, but we simply can’t tell because their logs don’t tell us.
Perhaps all of those who track and analyze breaches should consider sending a joint letter to Congress and to HHS urging them to make more information on breaches available on their web site.