The newest additions to HHS’s breach tool reveals more breaches I hadn’t known about previously:
Wolf & Yun in Kentucky reported that 824 patients were affected by a laptop theft on April 24th. A public notice on the breach posted in the Courier-Journal on July 20 explains:
Public Notice Information on the limited theft of patient information. Wolf & Yun takes the privacy of our patients very seriously. Although there is a low risk to patients, we want to let the public know about a recent incident that occurred at our office. On April 24, 2012, a laptop was stolen by a thief. The laptop contained limited information that included name, date of birth, and auditory testing data. No medical history information including symptoms, diagnoses or treatment was disclosed. There was no financial information or other sensitive information such as Social Security numbers or Medicare numbers included in these files. Upon discovery of the theft, the police were contacted and a report was filed. We continue to be in contact with the police regarding the recovery of the laptop. In light of this theft, we have increased security at our office and we are also revising our policies and procedures to safeguard against any future incidents. ….
Memorial Healthcare System in Florida notified HHS that 102,153 patients were notified of a breach that occurred between January 1, 2011 and July 5, 2012. That figure is significantly higher and the breach more extensive than what was reported in April, and I see that there is now a new notice on their web site that explains that another breach was discovered in the process of investigating the breach they knew about:
As part of an ongoing review of our patient information systems which commenced on April 27, 2012, we discovered that an employee of an affiliated physician’s office may have improperly accessed patient information through a web portal used by physicians who provide care and treatment at MHS. Specifically, patients’ names, dates of birth, and Social Security numbers may have been accessed during 2011 and 2012.
Update: A copy of their notification to New Hampshire and to patients can be found on NH’s site, here.
The Patterson Dental breach that affected patients of Hamner Square Dental and River Arch Dental affected 1,112 and 2,533 patients respectively.
Pamlico Medical Equipment LLC in North Carolina reported that 2,917 were affected by the loss of an electronic device on May 16th. I was able to locate an undated notice on Vidant Beaufort Hospital’s web site:
Pamlico Medical Equipment has experienced a security incident involving some of its patients’ personal information. Specifically, a flash drive mailed on our behalf was never received by the intended recipient. The information contained on the flash drive was limited to patient name, Medicaid/Social Security Number, medical equipment being provided by Pamlico Medical Equipment, insurance carrier contact information, and miscellaneous billing information such as service date, price of the equipment rental, etc. It is believed that the flash drive was emptied with compacted trash that was transported to a landfill.
Since becoming aware of the event we have conducted a thorough investigation of this unintentional but regrettable potential disclosure. This is not consistent with our privacy practices, and we regret this occurrence. Pamlico Medical Equipment has taken appropriate steps to prevent a similar occurrence in the future.
Although there is certainly no indication that anyone will or has used the information in an inappropriate manner, Pamlico Medical Equipment is offering some of the affected patients free comprehensive credit monitoring and fraud restoration services for one (1) year.
Persons seeking additional details may call 800-678-0697 for assistance.
The Surgeons of Lake County, LLC in Illinois reported that 7,067 were affected by an incident that occurred between June 22 and June 25. In a substitute notice, they write
The Surgeons of Lake County, LLC (“Surgeons”) announced today that an unauthorized user had gained access to – and encrypted – their server in an attempt to force payment from Surgeons in exchange for the password needed to regain access to the server.
Surgeons learned of the incident on June 25, 2012, when it discovered that an unauthorized user had gained remote access to a server containing Surgeons’ corporate email and electronic medical records. The unauthorized user posted a message on the server stating that the contents of the server had been encrypted and could only be accessed with a password that would only be supplied if Surgeons made the demanded payment. Upon receiving the demand, the server was turned off, and has not been turned back on.
Surgeons officials immediately contacted law enforcement and began an investigation of the incident. In the wake of this incident, Surgeons is undertaking additional measures to strengthen and enhance its protocols to ensure the security of patient records.
“Safeguarding every patient’s personal information is a top priority at The Surgeons of Lake County,” said Scott C. Otto, M.D., President of The Surgeons of Lake County, LLC. “We are devoting significant people and technological resources to help protect patient confidentiality.”
Surgeons believes that the intention of the unauthorized access was to extort payment from Surgeons, not to take patient information, and Surgeons is not aware of any reports that the information contained on the server has been misused as a result of this incident.
Still, the unauthorized user had the ability to access names, addresses, Social Security numbers, credit card numbers, and certain medical information; and, as a result, Surgeons began mailing notification letters today to individuals who may have been affected. Surgeons is offering them one year of free credit monitoring services, as well as call center support.
If you believe that you have been affected, please call this toll-free number 1-855-755-8479, Monday through Friday from 8 a.m. to 5 p.m. (Eastern Time), and enter the reference code 7522071312 when prompted.
Adult & Child Care Center in Indiana reported that a hacking incident involving Choices, Inc. on May 10 affected 550 patients. I was unable to find any addition details on this incident.
Sharon L. Rogers, Ph.D., ABPP, a psychologist in Texas, reported that 585 patients had data on a laptop that was stolen on June 16. I was unable to find any additional details on this incident.
University of Kentucky HealthCare reported that 4,490 had data on a laptop stolen on May 1. The center posted a notice on their web site on June 21:
The University of Kentucky is notifying 4,490 patients regarding a breach of protected health information. A password-protected laptop was stolen on May 1, 2012. The employee had access to information that may have included medical record number, date of visit and general reason for visit. No Social Security numbers, dates of birth, credit card, debit card or bank account numbers were exposed.
The University of Kentucky deeply regrets this incident and continues its commitment to safeguard the privacy of its patients. UK HealthCare has policies and procedures in place to protect patient information, and is currently undertaking additional steps to reinforce those measures. There is no evidence information was misused.