DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sierra Plastic Surgery notifies patients of privacy and data security breach that occurred in 2011

Posted on November 28, 2012 by Dissent

Aha. We now have some information on a breach that had been posted to HHS’s breach tool on October 19.  At that time, I had blogged:

Sierra Plastic Surgery in Nevada was hacked or had a network compromise between August 19, 2011 and September 20, 2011, but are apparently just reporting it to HHS now – unless HHS mistyped the year of the incident twice. The incident affected 800, and I can’t find any notice on Sierra’s web site or anywhere on the web or in news sources. Nor is it clear whether the web site was hacked, where potential patients enter some personal information, or if their office server was hacked.

Today, however, KTVN reports:

Sierra Plastic Surgery, LLC says it has been informed of a possible data breach of its electronic records.

Sierra Plastic Surgery, LLC says the breach happened between August 11, 2011 and September 23, 2011. A terminated employee apparently had access to the network after leaving the company.

The plastic surgery center says that employee may have viewed or printed copies of surgery estimates that included names and birthdates and in rare cases, the employee also accessed the names of insurers, prescriptions, surgery notes and payment balances.

Sierra Plastic Surgery, LLC says in less than 50 instances the former employee accessed sensitive information including social security numbers, personal contact and payment information.

[…]

A statement is now posted on Sierra’s web site, linked from the home page. It’s not a prominent link, and is right under social media icons, so you may have to really be looking for it to notice it, but the undated notice says:

This legal notice is being posted in compliance with HIPAA laws, in relation to Sierra Plastic Surgery, LLC, 9436A Double R Blvd. Reno, NV, 89521 (“Sierra”) and its patients.

In August 2012, Sierra was informed of a potential data breach of its electronic records. The data breach occurred between August 11, 2011 – September 23, 2011 by a former employee seeking information on compensation owed.

The employee’s post-employment network access was not fully discovered until August 2012. The terminated employee may have viewed or printed a copy of patients surgery estimates, which included a name and birthdate. In rare instances the employee also accessed the name of an insurer, a prescription, surgery notes, a payment balance, and in approximately 25 instances sensitive payment information including a SSN#, payment information, or personal contact information was accessed.

Sierra contacted the former employee, as well as her attorney, explained the situation, and has verified under penalty of perjury that she has returned all records. Not all patients were affected.

Sierra is sending individual letters to all individuals whose data was breached based on their last known address. If you were ever a patient of Sierra Plastic Surgery, and have any questions or concerns about your data you may contact our hotline at (866) 979-2596.

Sierra has conducted a review of its data storage access and is assured that the data breach will not happen again in the future. Sierra has also reported the matter to local and federal authorities who will conduct a further review if necessary.

Their notice raises as many questions as it answers:

1. They say they were informed of the breach. Who informed them and how was the breach discovered?
2. Why wasn’t the employee’s access terminated when she terminated employment?
3. If they notified HHS that 800 patients were affected, why does this report say less than 50? Is the latter number the result of additional forensic investigation of their system or is it based on the former employee’s statements to them?
4. Why didn’t the practice detect the access to their system over a year ago? Were they auditing logs?
5. If the employee’s motivation in accessing patient records after she terminated was to determine compensation owed, why was she viewing patient records?
6. Why the delay in notification to patients?
7. Was this matter ever referred to law enforcement?

Related:

  • Another plastic surgery practice appears to have…
  • HIPAA Security Rule Facility Access Controls – What…
  • Unencrypted laptops still a major cause of breach…
  • Ca: Sierra Wireless Announces Ransomware Attack
  • Calling time of death on HHS's "breach tool"
Category: Health Data

Post navigation

← UK: Kind charity raided in break-in and computer stolen
Maybe next time they’ll heed the warning? (updated) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.