An update to HHS’s breach tool this week adds 16 more incidents to their counter, although two of the entries appear to be for the same incident. Significantly, the list includes yet another Florida hospital report of theft of patient data, presumably for tax refund fraud or other fraud. In this case, though, it was not an employee of the hospital but an employee of a vendor. And once again, it seems, the hospital did not detect any problem until law enforcement alerted them.
Some of the incidents were previously noted in the media, on this blog, or on DataLossDB.org. For those, I’m simply adding notes as to what, if anything, we learned from the report to HHS that we didn’t previously know:
- Oregon Health & Science University: the laptop stolen from a surgeon’s rental home reportedly contained PHI on 1,114. In March, OHSU had indicated that more than 4,000 were affected.
- WA Department of Social and Health Services
- Shands Jacksonville Medical Center, Inc.
- University of Florida
- Hospice and Palliative Care Center of Alamance Caswell
- Texas Tech Unversity Health Sciences Center
- University of Mississippi Medical Center: the lost or missing laptop may have been missing as early as November 1, 2012. The center detected its loss on January 22.
- Mid America Health, PrevMED: Strangely, this breach is first appearing on HHS’s breach tool now even though the incident occurred in April 2012 and in June 2012, MAH notified Maryland that it was notifying HHS.
- Glens Falls Hospital, Portal Healthcare Solutions
The following are incidents that I didn’t already know about:
- John J. Pershing VA Medical Center in Missouri reported that 589 patients were affected by a paper records breach on February 20. A statement linked from the home page of their web site explains:
During a routine inspection, staff from the John J. Pershing VA Medical Center in Poplar Bluff recently discovered a box in an unoccupied equipment storage room; a box that contained personally identifiable information.
The information, including social security numbers, concerned approximately 580 Veteran patients at the medical center.
Though there is no indication the information was accessed or used by unauthorized personnel, the medical center is taking no chances. “The room was generally kept locked with only staff or contractors having access, but we cannot be absolutely certain the storage area was completely secure at all times, so we are notifying Veterans who could be affected,” noted Medical Center Director and CEO, Marj Hedstrom. “Every Veteran whose name was contained in the box will receive a letter of notification and, where appropriate, an offer of credit monitoring for one year at no charge.”
- Texas Health Care, P.L.L.C. reported that 554 were affected by breach on March 10 involving “theft, paper.” No statement appears on the practice’s web site and I can find no substitute notice or press release about the breach in online sources I searched. An email inquiry was sent to the practice but received no response by the time of this publication..
- Lake Granbury Medical Center in Texas reported that 502 patients were affected by a breach on February 13 involving “Theft,Paper.” There does not appear to be any statement on their web site, and again, I could find no substitute notice available online.
- Carpenters Health & Welfare Trust Fund for California reported that its business associate, QuickRunner, Inc. (dba RoadRunner Mailing Services experienced a breach involving paper records that affected 2,400 on March 11 and March 12. Neither entity appears to have a substitute notice on their respective web sites, and I can find no media coverage at the time of this publication.
- Mount Sinai Medical Center in Florida reported that 628 patients were notified of a breach that seemingly occurred over a period of months. Curiously, the report on HHS’s breach tool did not include any mention of the business associate, even though it was employee of a vendor who reportedly stole patient information. A statement on the medical center’s web site explains:
At Mount Sinai Medical Center, we take our commitment to patient privacy very seriously, and we work diligently to ensure the security of our patients’ confidential information. Regrettably, this notification concerns an incident related to that information.
On February 28, 2013, we learned from local law enforcement that an employee of a contracted vendor of the Medical Center may have accessed patient information inappropriately from October 2012 to February 2013. Upon learning this information, we conducted an investigation and began fully cooperating with law enforcement authorities. The suspect has been arrested.
Our investigation confirms that the information involved includes patient names, dates of birth, Social Security numbers, and addresses. A second group of information includes patient names, addresses, bank account numbers, and routing numbers. While a patient’s information may have been exposed, it does not mean that it was misused. The incident did not affect any patients’ medical records, medical treatment or Mount Sinai billing accounts.
We began mailing letters to affected patients on March 15, 2013. We have also set up a call center with a toll-free help line for all patients who have questions. The phone number is 1-877-282-6407. The call center is staffed weekdays from 9 am until 7 pm eastern time. Also, if you have concerns about this situation and have not received a letter from us by March 29, 2013, please call the help line with your questions.
We deeply regret any inconvenience or concern this event may cause. We are in the process of undergoing a comprehensive review of our security policies and practices to help prevent a similar incident from occurring in the future.
- Thomas L. Davis, Jr. DDS of Oregon reported that 3,269 patients were notified of a breach in February involving EMRs and a desktop computer. Dr. Davis does not appear to have a web site and I can find no press release or substitute notice about the breach by the time of this publication.