DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Updates to HHS's breach tool

Posted on October 1, 2013 by Dissent

HHS has updated its public breach tool again.

Let’s start with the ones we already knew about:

  • The Wm. Jennings Bryan Dorn VAMC breach involving a laptop lost in February affected 7,405.
  • The patient data theft involving an employee at South Shore Physicians in New York resulted in notification to 8,000, although the employee was charged with stealing 80 patients’ information.
  • Boy Scouts of America Employee Benefit Plan notified 8,911 plan participants of a breach involving UnitedHealthcare vendor RR Donnelley‘s stolen desktop computer. I remember reading RR Donnelley‘s notification to California earlier this year, but don’t seem to have entered it on this blog. Here is part of UnitedHealthcare’s notification letter:

We take your privacy and the confidentiality of the information entrusted to us very seriously. Despite our best attempts, there was a recent incident in which your personal information, in connection with your participation in the Boy Scouts of America 2003 health benefit plan, may have been compromised. We wanted to make you aware, as well as explain some options available to you to protect you.

According to RR Donnelley, a print and mailing vendor that UnitedHealthcare uses, sometime between the second half of September and the end of November, 2012, an unencrypted desktop computer was stolen from one of its facilities. On December 3, 2012, upon discovering that the computer was stolen, the vendor promptly filed a report with law enforcement, and because it was entrusted with UnitedHealthcare member data as part of a Business Associate relationship, UnitedHealthcare was also notified.

According to our vendor, the 2003 information contained on the computer was limited to your name, address and Social Security number. We have no indication that this information has been accessed, misused or further disclosed. The vendor is continuing to work with law enforcement in an attempt to locate the stolen computer.

  • The CCS Medical breach for tax refund fraud affected 6,601. I had reported this breach on this blog back in December 2012. Why did it take so long to show up on HHS’s breach tool?
  • Add Dreyer Medical Clinic to the clients of Blackhawk Consulting Group affected by a hack of the payment card processor. The clinic reports that 998 patients were affected by the breach that occurred between June 30 and August 15.  A statement, linked from Dreyer’s home page, says, in part:

Blackhawk’s investigation confirmed that patient information submitted for electronic payment of Dreyer services, was affected and included names, billing addresses, credit card numbers, expiration dates, CVV2 (authorization) numbers, and email addresses. No bank account numbers, social security numbers, or PIN numbers were involved.This did not affect all Dreyer patients, only those who submitted electronic payment of Dreyer services from June 30, 2013, to August 15, 2013.

Blackhawk began sending letters to affected patients on September 13, 2013 and has also established a dedicated call center for patients to call with any questions.

Breaches that are news to me:

  • Atlanta Center for Reproductive Medicine reported that 654 patients were notified of a breach involving e-mail on July 12. I can find no media coverage or substitute notice on their web site to explain the nature of the e-mail breach. Were data sent to an employee’s personal email account? Were names or email addresses of patients disclosed in a TO: field instead of masked in a BCC: field? Once again, HHS’s breach tool leaves us with more questions than answers.
  • Accountable Care Organization of Puerto Rico, Inc. (ACO of Puerto Rico) reported a breach involving PHM Healthcare Solutions. The breach, which affected 5,000, occurred between March 5 and July 16 and involved unauthorized access or disclosure from their network. There is no statement on their web site to explain the breach.
  • And my nominee for the most unhelpful HHS breach tool entry of the day:

“Dermatology Associates of Tallahassee,FL,,915,00/00/0000,Unknown,Other,9/26/2013,,”

I was able to locate a press release on Dermatology Associates of Tallahassee’s web site dated September 4, but it doesn’t really explain anything:

Dermatology Associates of Tallahassee has learned that the personal information, including name, address, social security number, and date of birth, of 916 patients has been compromised. As part of a swift response, the practice sent written notices to all affected patients and offered them one year of credit monitoring and reporting services, through Equifax, at no cost to any affected patient.

At this time, there are no indications that the information has been used by an unauthorized individual. Nevertheless, the practice encourages its patients to closely monitor their credit and bank account activity and report any suspicious transactions.

Dermatology Associates of Tallahassee understands the inconvenience this incident may have posed on all affected patients and sincerely regrets that this situation has occurred. As part of its commitment to providing quality care, including the protection of its patients’ personal information, the practice implemented additional policies and procedures to further protect the privacy of its patients and secure their personal information.

For more information regarding this incident, please contact practice administrator, Mr. Brian Schaper, at (850) 877- 4134, ext. 1154.

Sadly, their notice does not explain what happened, how, or when. Nor does it explain what policies and procedures it has implemented as a result. Hopefully their letter to patients provided more details. If anyone obtains a copy, please send it to PHIprivacy.net.


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← IN: Telecom Company Being Investigated for Information Breach
Statement from St. Mary's Janesville Hospital →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Clorox Files $380M Suit Alleging Cognizant Gave Hackers Passwords in Catastrophic 2023 Cyberattack
  • Cyberattacks Paralyze Major Russian Restaurant Chains
  • France Travail: At least 340,000 job seekers victims of new hack
  • Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
  • #StopRansomware: Interlock
  • Suspected XSS Forum Admin Arrested in Ukraine
  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.