DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS adds 13 breaches to its breach tool

Posted on August 28, 2013 by Dissent

HHS added 13 more breaches to its breach tool this week.

Let’s start with the breaches we already had some information about and indicate what new information can be gleaned from HHS’s entries:

  • The Vitreo-Retinal Medical Group breach reportedly affected 1,837.
  • The California Correctional Health Care Services breach affected 1,001 inmates.
  • The Indiana Family & Social Services Administration breach. Interestingly, IFSSA did not report the involved Business Associate as being responsible for the breach although other coverage named RCR Technology Corporation (RCR) as the responsible BA.
  • The Rocky Mountain Spine Clinic breach.
  • The Cogent Healthcare breach due to M2ComSys’s firewall error.
  • The Foundations Recovery Network breach  affected 5,690 patients.
  • The breach reported by counselor Janna Benkelman affected 1,500 patients.
  • The Missouri Department of Social Services reported that its business associate, InfoCrossing, Inc. was responsible for a breach affecting 1,357 individuals between October 2011 and June 7 of this year. This appears to be the breach previously identified on this blog as the MO HealthNet breach. The state’s notice about the breach can be found here.

There was one other breach in the recent update that may (or may not) belong with the grouping above.  According to HHS’s log, GEO Care, LLC in Florida reported that 710 patients were affected by a breach on April 16, 2013. The breach was coded as “Unauthorized Access/Disclosure,Desktop Computer.” I’m wondering if this might be the South Florida State Hospital breach reported previously on this blog.

Here are some breaches I hadn’t previously known about:

  • Louisiana State University Health Care Services Division reported a breach that occurred on December 1, 2011. Yes, the log says 2011. HHS’s log does not indicate the date a breach was discovered, so it’s unclear from their entry whether LSUHCS only recently discovered this breach or had simply failed to report it when it happened. The breach, which HHS coded as ” Unauthorized Access/Disclosure,Desktop Computer,” reportedly affected 6,994 patients.  The log entry does not appear to correspond to either of two previous breach reports covered on this blog. I have sent an e-mail to LSUHCS requesting more information on their report to HHS and they are looking into it.
  • Brookdale University Hospital and Medical Center in New York reports that 2,700  patients had PHI on portable electronic device lost on May 24.  I could not find any substitute notice for the breach and have e-mailed the center to request an explanation and details but have not received a response as of the time of this posting. This is Brookdale’s third incident to appear on HHS’s breach tool. The first, in August 2012, involved a business associate, Standard Register, and the paper records of 2,261 patients. The second, in September 2012, involved another business associate, Health Plus Amerigroup, and affected 28,187 patients whose PHI was disclosed to other facilities in error.
  • Young Family Medicine Inc. in Ohio reported that 2,045 patients had PHI on laptop stolen on June 12. I cannot find any web site for the practice or substitute notice. Which raises another question: why are there so many breaches affecting more than 500 where I can’t find a substitute notice? Are they appearing in local media not indexed by Google, or are they disappearing too quickly before I can find them?
  • Hancock OB/GYN in Indiana reported that 1,396 patients were affected by a breach that began November 9, 2011 and continued until June 17 of this year. A statement on the home page of their web site dated August 14 explains that

an employee at the practice had accessed physician notes in those patients’ medical records without a work-related reason for doing so.  The physician notes included the patient’s name, date of service, medical record number and specific clinical information regarding the OB/GYN care provided. No financial or other identifying information was inappropriately accessed by the employee and no copies of the information were made during the inappropriate access.

Upon verifying incidents of this on June 17, 2013, the practice immediately began a thorough investigation, which was completed on or about July 31, 2013. The practice then cross-referenced those results with another practice database to retrieve the contact information needed to provide affected individuals with written notice.  The practice’s investigation revealed that the employee had accessed the physician notes in 1,396 patient records out of curiosity during her employment from November 9, 2011 through June 17, 2013.

Hancock OB/GYN is committed to protecting patient confidentiality and therefore terminated the employee for violating the practice’s policies protecting patient privacy.  The practice has notified affected patients of this incident in writing and has re-educated the remaining Hancock OB/GYN employees on its policy regarding access to and the appropriate use of patient information.

Hancock OB/GYN deeply regrets the actions of its former employee and wants to reassure its patients that privacy is a priority.  The practice has established a toll-free information line for individuals who have additional questions about this incident.  Those individuals can call 1-866-221-0150 between the hours of 9:00 AM to 7:00 PM, Monday through Friday.

The above is a useful example of a well-written breach notice.  The only thing missing, I think, is some statement about hardening access controls or monitoring so that such improper access is detected promptly, if not prevented. Simply re-educating employees without implementing more monitoring is unlikely to be as efficient as a combination of both.

I will update this entry if and when I obtain more details on the breaches where we have little information.

No related posts.

Category: Uncategorized

Post navigation

← Ninth months later, almost 860 Indiana residents are first being notified of the ADPI breach.
Other recent breaches that flew under the media radar →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.