DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sierra Plastic Surgery notifies patients of privacy and data security breach that occurred in 2011

Posted on November 28, 2012 by Dissent

Aha. We now have some information on a breach that had been posted to HHS’s breach tool on October 19.  At that time, I had blogged:

Sierra Plastic Surgery in Nevada was hacked or had a network compromise between August 19, 2011 and September 20, 2011, but are apparently just reporting it to HHS now – unless HHS mistyped the year of the incident twice. The incident affected 800, and I can’t find any notice on Sierra’s web site or anywhere on the web or in news sources. Nor is it clear whether the web site was hacked, where potential patients enter some personal information, or if their office server was hacked.

Today, however, KTVN reports:

Sierra Plastic Surgery, LLC says it has been informed of a possible data breach of its electronic records.

Sierra Plastic Surgery, LLC says the breach happened between August 11, 2011 and September 23, 2011. A terminated employee apparently had access to the network after leaving the company.

The plastic surgery center says that employee may have viewed or printed copies of surgery estimates that included names and birthdates and in rare cases, the employee also accessed the names of insurers, prescriptions, surgery notes and payment balances.

Sierra Plastic Surgery, LLC says in less than 50 instances the former employee accessed sensitive information including social security numbers, personal contact and payment information.

[…]

A statement is now posted on Sierra’s web site, linked from the home page. It’s not a prominent link, and is right under social media icons, so you may have to really be looking for it to notice it, but the undated notice says:

This legal notice is being posted in compliance with HIPAA laws, in relation to Sierra Plastic Surgery, LLC, 9436A Double R Blvd. Reno, NV, 89521 (“Sierra”) and its patients.

In August 2012, Sierra was informed of a potential data breach of its electronic records. The data breach occurred between August 11, 2011 – September 23, 2011 by a former employee seeking information on compensation owed.

The employee’s post-employment network access was not fully discovered until August 2012. The terminated employee may have viewed or printed a copy of patients surgery estimates, which included a name and birthdate. In rare instances the employee also accessed the name of an insurer, a prescription, surgery notes, a payment balance, and in approximately 25 instances sensitive payment information including a SSN#, payment information, or personal contact information was accessed.

Sierra contacted the former employee, as well as her attorney, explained the situation, and has verified under penalty of perjury that she has returned all records. Not all patients were affected.

Sierra is sending individual letters to all individuals whose data was breached based on their last known address. If you were ever a patient of Sierra Plastic Surgery, and have any questions or concerns about your data you may contact our hotline at (866) 979-2596.

Sierra has conducted a review of its data storage access and is assured that the data breach will not happen again in the future. Sierra has also reported the matter to local and federal authorities who will conduct a further review if necessary.

Their notice raises as many questions as it answers:

1. They say they were informed of the breach. Who informed them and how was the breach discovered?
2. Why wasn’t the employee’s access terminated when she terminated employment?
3. If they notified HHS that 800 patients were affected, why does this report say less than 50? Is the latter number the result of additional forensic investigation of their system or is it based on the former employee’s statements to them?
4. Why didn’t the practice detect the access to their system over a year ago? Were they auditing logs?
5. If the employee’s motivation in accessing patient records after she terminated was to determine compensation owed, why was she viewing patient records?
6. Why the delay in notification to patients?
7. Was this matter ever referred to law enforcement?

Category: Health Data

Post navigation

← UK: Kind charity raided in break-in and computer stolen
Maybe next time they’ll heed the warning? (updated) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.