Long after some breaches occurred, we first find out via HHS's breach tool (Update 1)

Posted on by Dissent

HHS updated its breach tool yesterday. The following is an annotated list of new entries on their list. It is not clear to me why there are breach entries where the breaches occurred in 2011 or 2012. Did HHS delay in adding incidents to the breach tool or are entities first discovering and/or reporting the incidents? Unfortunately, HHS’s breach list does not include a field for the date on which the incident was reported – only the date that HHS adds it to the list.

The following are newly added incidents for which we already had some information:

  • UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, reported that 596 patients had PHI on the laptop reported missing or stolen.
  • The Olson & White Orthodontics burglary was reported to HHS with the same details as previously reported on this blog.
  • The City of Seguin,TX reported that 839 patients were affected by the Advanced Data Processing  (ADPI) breach in 2012, while Washington County EMS,TX reported that 1,435 of their patients were affected and the City of North College Hill reported that 555 of their patients were affected. For all previous coverage on this blog of ADPI’s breach, click here.
  • Parkview Community Hospital Medical Center in California reported that 32,000 of its patients were affected by the Cogent Healthcare breach caused by a firewall error by its transcription service vendor, M2ComSys. It’s a bit surprising to see one hospital report 32,000 since media reports at the time suggested it was 32,000 total. The number of Parkview patients needs to be confirmed,  as they may have been reporting the total number from Cogent and not just their portion.
  • Jackson Health System in Florida reported that 1,471 patients had PHI in boxes of records that were discovered missing or unaccounted for. The boxes were discovered missing in January.
  • St. Anthony’s Physician Organization in Missouri reported the July 29 theft of a laptop with PHI of 2,600. The laptop was stolen from a physician’s car.
  • Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group reported the theft of computers containing PHI on 4,029,530 patients.

The following are incidents that were not previously noted on this blog:

  • The Kaiser Foundation Health Plan of the Northwest reported a breach affecting 647 patients that occurred on March 15, 2013. This does not appear to be the same breach reported recently on this blog, but as yet, I’ve found no details on it, and e-mailed Kaiser Permanente to request information. Update 1: Kaiser Permanente Northwest replied to my inquiry  with the following statement:

    Kaiser Permanente Northwest recently discovered that an employee viewed medical records without proper authorization. A comprehensive investigation of the incident has been completed and state and federal regulatory agencies notified. Notification letters have been mailed to every affected Kaiser Permanente member. Our internal investigation of this matter shows:

      • There is no evidence that information was viewed by the employee for the purpose of fraud or other criminal activity.
      • The employee had no access to Social Security numbers, credit card information, or records through Mental Health or Addiction Medicine specialties.
      • There is no evidence that the employee retained, maintained, or stored any of the information contained in the medical records.
  • Summit Community Care Clinic in Colorado reported that 921 patients were affected by a Hacking/IT incident that occurred July 22. There is no statement or notice on their web site at this time, and PHIprivacy.net e-mailed them to request information. (see update HERE).
  • Minne-Tohe Health Center/Elbowoods Memorial Health Center in North Dakota reported a breach affecting 10,000. The breach reportedly occurred October 1, 2011, and involved “Improper Disposal, Unauthorized, Access/Disclosure”,”Desktop Computer, Other.” Clear as mud, right? I have no idea what happened there or why it took almost two years for this to show up on HHS’s breach tool. This one may require a phone call.
  • Logan Community Resources, Inc. in Indiana reported that 2,900 were affected by a “Hacking/IT Incident” that occurred on August  24, 2012.  Again, I could find no information online a year after the breach, and so sent an e-mail requesting details of the incident.
  • St. Francis Health Network, aka Franciscan Alliance ACO  in Indiana reported that a breach involving Advantage Health Solutions affected 2,575 patients. The breach occurred on October 19, 2012.  The log entry does not appear to be related to this breach report from July involving Advantage Health Solutions, and PHIprivacy.net has e-mailed Franciscan Alliance ACO to ask for details on the incident.

Because email inquiries sent yesterday have not yet received any replies, do check back to see if this post is updated with additional details.

Category: Health Data