DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A Georgetown University Hospital breach makes me wonder about HHS's breach tool

Posted on March 21, 2012 by Dissent

The recent update to the HHS breach tool made me aware of a breach involving Georgetown University Hospital that affected over 1,500 patients.

The following statement was issued by Georgetown University Hospital, who kindly provided this site with a copy of the notification:

A USB thumb drive storing patient information was recently determined to be misplaced at Georgetown University Hospital. The unsecured thumb drive contained data on 1,526 people who were Georgetown University Hospital (GUH) patients between September 2004 and September 2009. We have no reason to believe the device was stolen or that any of the information will be misused. We do not believe that patients will be adversely affected by the loss of this thumb drive. The thumb drive did not store any addresses, social security numbers, and/or financial information and remain secure

The thumb drive was last seen September 9, 2011 but was not identified as missing until the morning of September 14, 2011 and is now presumed to be lost. After becoming aware of this matter GUH leadership immediately started a thorough investigation. Through the investigation GUH has determined that information related to patients of the Department of Laboratory Medicine was compiled for the purpose of investigating data that would be used for educational purposes. GUH is permitted to review medical information for research and educational purposes and is permitted to use USB drives to transport data. However the technician who compiled the data did not utilize the correct secure technology to protect the information, which is against hospital policy.

Data on the hard drive included patient names, medical record number, date of birth, blood type, date of blood test, blood test results and interpretation, brief clinical history and clinician name.

We are in the process of contacting all of the patients whose information was on the thumb drive. We believe no further actions are required of patients at this time.

We are taking strong and appropriate actions to prevent this kind of data loss from recurring and we are taking all the necessary steps to notify appropriate regulatory authorities, as well as re-evaluating our processes to ensure that we continue to use and disclose patient information only as permitted by law and in accordance with our Notice of Privacy Practices.

GUH values the privacy of all medical information as an important part of our commitment to the clinical care of our patients and our research and education missions. We view the protection of patient privacy as an essential component of our vision to be the Trusted Leader in Caring for People and Advancing Health and our mission to serve our patients.

For additional information, contact Marianne Worley, director of media relations at Georgetown University Hospital at 703-558-1287.

That statement, which is simply written and wonderfully clear, does not really match the entry on HHS’s breach tool, though:

Georgetown University Hospital, DC,”1,549″, 11/1/2011, Unauthorized Access/Disclosure,Paper

This was not a disclosure or unauthorized access. Nor was it an incident that involved paper records. And the incident didn’t happen November 1. Of course, it’s possible that the GUH employee who entered the data on the breach tool didn’t click the right buttons or had misunderstood the breach or reporting fields at the time of reporting. But I never expected to see a missing USB drive report based on the entry in the breach tool.

So what’s going on and how much can we trust the coding on the breach tool for analysis purposes?

And is it time for HHS to refine their reporting tool to provide more categories such as “lost or missing?” I guess it depends on how HHS and others see the purpose of the breach tool, but for myself, I’d like to see it be a little less vague/confusing on incident coding.

Related posts:

  • Calling time of death on HHS’s “breach tool”
  • Latest update to HHS breach tool discloses previously unknown breaches
Category: Health Data

Post navigation

← Cn: Dangdang Freezes Accounts After Hacking Incident
Update: Computer seized over Belfast City Hall breach (updated) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.