On August 8, the Saint Barnabas Health Care System in New Jersey publicly disclosed a breach involving a Business Associate, MedAssets:
MedAssets, Inc., an independent revenue management and supply chain company that provides certain administrative and business services to the Saint Barnabas Health Care System, informed us on July 1, 2011 that an unencrypted external computer hard drive was stolen on June 24, 2011, from a MedAssets employee’s car, parked in a restaurant parking lot. The hard drive contained personal information used to determine eligibility for governmental benefits for certain patients of our six acute care hospitals.
The data contained patient names and for each such patient, information from one or more of the following categories: Medical Center account number, medical record number, date of birth, Medical Center charges incurred, amounts paid to the Medical Center, information on health insurance, eligibility for applicable governmental benefit programs and/or Medical Center admission and discharge dates. Social security numbers were included for about seven percent of the affected patients. The hard drive did not include any patient addresses, other financial information, or any clinical information regarding the patient’s care.
Patient privacy is of primary importance to the Saint Barnabas Health Care System; therefore, we have followed-up extensively with MedAssets regarding this incident. Although at this time there is no evidence that the information in the hard drive has been improperly accessed or used, MedAssets has provided written confirmation that it is implementing improved privacy safeguards to avoid similar incidents in the future, including eliminating the use of all unencrypted hard drives used for data back-up by its employees and strengthening the enforcement of its existing policy prohibiting their use. We have also directed that MedAssets provide patient privacy retraining to its employees working at our facilities.
Letters are being sent to affected patients. Although no financial information was included other than social security numbers for certain individuals, patients are being advised to be aware of any suspicious activity and to monitor their credit reports and financial accounts. Patients with questions relating to this incident should call our toll-free hotline at 888-414-8023 between 8am and 5pm, Monday through Friday, and when prompted, enter the following 10 digit reference number: 7827072911.
While the theft of the external computer hard drive did not involve a Saint Barnabas Health Care System employee, we are making great efforts to protect our patients’ privacy and apologize for the inconvenience.
Although not mentioned in the notice on their site, as reported to the U.S. Dept. of Health and Human Services:
- Clara Maass Medical Center had 8,795 patients affected by the incident;
- Community Medical Center had 6,950 patients;
- Kimball Medical Center had 6,785 patients;
- Monmouth Medical Center 6,443 patients;
- Newark Beth Israel Medical Center had 15,015 patients; and
- Saint Barnabas Medical Center had 6,179 patients.
This is not the first time that Saint Barnabas has reported a breach involving a business associate. In September 2010, they disclosed a breach involving KPMG. Also last year, Newark Beth Israel Medical Center disclosed a web exposure breach involving Professional Transcription Company.
Saint Barnabas wasn’t the only hospital system affected by the MedAssets breach, however. Patients at the Cook County Health and Hospitals System in Chicago, Illinois was also affected. In a notice posted on their web site on August 19, they write:
Dear Patient,
On Saturday, June 30, 2011, Cook County Health and Hospitals System (CCHHS) was notified by MedAssets, one of our Business Associates, that a computer hard drive was recently stolen.
CCHHS has learned that the information contained on the hard drive included names, encounter numbers and administrative information. We regret to inform you that your information was on the missing computer hard drive. Your addresses, birth date, and social security number were not on the hard drive.
The hard drive was neither password protected nor encrypted. Encryption is a process that converts the information on a computer into a format that cannot be easily understood by unauthorized people. Because the hard drive was not encrypted, there is a potential for others to see the information that was on the computer hard drive. Although the computer hard drive remains missing, there has been no indication of unauthorized use of the information.
It is important to know, that although not related to this incident, MedAssets is no longer a vendor of CCHHS. However, in response to this incident, MedAssets initiated corrective action; including ensuring no other CCHHS data are at risk.
[…]
In their report to HHS, CCHHS indicated that 32,008 patients were affected.
An unencrypted drive left in a car in a restaurant parking lot. Heads should have rolled for that one. What did this breach cost in terms of investigation and notifications? Those costs will ultimately drive up the cost of our health care. I find this type of breach inexcusable in this day and age and wish HHS/OCR would hand out a hefty fine or two to send the word that entities had damned well make compliance with good security practices more of a priority.