DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A Georgetown University Hospital breach makes me wonder about HHS's breach tool

Posted on March 21, 2012 by Dissent

The recent update to the HHS breach tool made me aware of a breach involving Georgetown University Hospital that affected over 1,500 patients.

The following statement was issued by Georgetown University Hospital, who kindly provided this site with a copy of the notification:

A USB thumb drive storing patient information was recently determined to be misplaced at Georgetown University Hospital. The unsecured thumb drive contained data on 1,526 people who were Georgetown University Hospital (GUH) patients between September 2004 and September 2009. We have no reason to believe the device was stolen or that any of the information will be misused. We do not believe that patients will be adversely affected by the loss of this thumb drive. The thumb drive did not store any addresses, social security numbers, and/or financial information and remain secure

The thumb drive was last seen September 9, 2011 but was not identified as missing until the morning of September 14, 2011 and is now presumed to be lost. After becoming aware of this matter GUH leadership immediately started a thorough investigation. Through the investigation GUH has determined that information related to patients of the Department of Laboratory Medicine was compiled for the purpose of investigating data that would be used for educational purposes. GUH is permitted to review medical information for research and educational purposes and is permitted to use USB drives to transport data. However the technician who compiled the data did not utilize the correct secure technology to protect the information, which is against hospital policy.

Data on the hard drive included patient names, medical record number, date of birth, blood type, date of blood test, blood test results and interpretation, brief clinical history and clinician name.

We are in the process of contacting all of the patients whose information was on the thumb drive. We believe no further actions are required of patients at this time.

We are taking strong and appropriate actions to prevent this kind of data loss from recurring and we are taking all the necessary steps to notify appropriate regulatory authorities, as well as re-evaluating our processes to ensure that we continue to use and disclose patient information only as permitted by law and in accordance with our Notice of Privacy Practices.

GUH values the privacy of all medical information as an important part of our commitment to the clinical care of our patients and our research and education missions. We view the protection of patient privacy as an essential component of our vision to be the Trusted Leader in Caring for People and Advancing Health and our mission to serve our patients.

For additional information, contact Marianne Worley, director of media relations at Georgetown University Hospital at 703-558-1287.

That statement, which is simply written and wonderfully clear, does not really match the entry on HHS’s breach tool, though:

Georgetown University Hospital, DC,”1,549″, 11/1/2011, Unauthorized Access/Disclosure,Paper

This was not a disclosure or unauthorized access. Nor was it an incident that involved paper records. And the incident didn’t happen November 1. Of course, it’s possible that the GUH employee who entered the data on the breach tool didn’t click the right buttons or had misunderstood the breach or reporting fields at the time of reporting. But I never expected to see a missing USB drive report based on the entry in the breach tool.

So what’s going on and how much can we trust the coding on the breach tool for analysis purposes?

And is it time for HHS to refine their reporting tool to provide more categories such as “lost or missing?” I guess it depends on how HHS and others see the purpose of the breach tool, but for myself, I’d like to see it be a little less vague/confusing on incident coding.

Related posts:

  • Operation Anti Security Breakdown and targets, the full time line
Category: Health Data

Post navigation

← Cn: Dangdang Freezes Accounts After Hacking Incident
Update: Computer seized over Belfast City Hall breach (updated) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.