HHS has updated its public breach tool again.
Let’s start with the ones we already knew about:
- The Wm. Jennings Bryan Dorn VAMC breach involving a laptop lost in February affected 7,405.
- The patient data theft involving an employee at South Shore Physicians in New York resulted in notification to 8,000, although the employee was charged with stealing 80 patients’ information.
- Boy Scouts of America Employee Benefit Plan notified 8,911 plan participants of a breach involving UnitedHealthcare vendor RR Donnelley‘s stolen desktop computer. I remember reading RR Donnelley‘s notification to California earlier this year, but don’t seem to have entered it on this blog. Here is part of UnitedHealthcare’s notification letter:
We take your privacy and the confidentiality of the information entrusted to us very seriously. Despite our best attempts, there was a recent incident in which your personal information, in connection with your participation in the Boy Scouts of America 2003 health benefit plan, may have been compromised. We wanted to make you aware, as well as explain some options available to you to protect you.
According to RR Donnelley, a print and mailing vendor that UnitedHealthcare uses, sometime between the second half of September and the end of November, 2012, an unencrypted desktop computer was stolen from one of its facilities. On December 3, 2012, upon discovering that the computer was stolen, the vendor promptly filed a report with law enforcement, and because it was entrusted with UnitedHealthcare member data as part of a Business Associate relationship, UnitedHealthcare was also notified.
According to our vendor, the 2003 information contained on the computer was limited to your name, address and Social Security number. We have no indication that this information has been accessed, misused or further disclosed. The vendor is continuing to work with law enforcement in an attempt to locate the stolen computer.
- The CCS Medical breach for tax refund fraud affected 6,601. I had reported this breach on this blog back in December 2012. Why did it take so long to show up on HHS’s breach tool?
- Add Dreyer Medical Clinic to the clients of Blackhawk Consulting Group affected by a hack of the payment card processor. The clinic reports that 998 patients were affected by the breach that occurred between June 30 and August 15. A statement, linked from Dreyer’s home page, says, in part:
Blackhawk’s investigation confirmed that patient information submitted for electronic payment of Dreyer services, was affected and included names, billing addresses, credit card numbers, expiration dates, CVV2 (authorization) numbers, and email addresses. No bank account numbers, social security numbers, or PIN numbers were involved.This did not affect all Dreyer patients, only those who submitted electronic payment of Dreyer services from June 30, 2013, to August 15, 2013.
Blackhawk began sending letters to affected patients on September 13, 2013 and has also established a dedicated call center for patients to call with any questions.
Breaches that are news to me:
- Atlanta Center for Reproductive Medicine reported that 654 patients were notified of a breach involving e-mail on July 12. I can find no media coverage or substitute notice on their web site to explain the nature of the e-mail breach. Were data sent to an employee’s personal email account? Were names or email addresses of patients disclosed in a TO: field instead of masked in a BCC: field? Once again, HHS’s breach tool leaves us with more questions than answers.
- Accountable Care Organization of Puerto Rico, Inc. (ACO of Puerto Rico) reported a breach involving PHM Healthcare Solutions. The breach, which affected 5,000, occurred between March 5 and July 16 and involved unauthorized access or disclosure from their network. There is no statement on their web site to explain the breach.
- And my nominee for the most unhelpful HHS breach tool entry of the day:
“Dermatology Associates of Tallahassee,FL,,915,00/00/0000,Unknown,Other,9/26/2013,,”
I was able to locate a press release on Dermatology Associates of Tallahassee’s web site dated September 4, but it doesn’t really explain anything:
Dermatology Associates of Tallahassee has learned that the personal information, including name, address, social security number, and date of birth, of 916 patients has been compromised. As part of a swift response, the practice sent written notices to all affected patients and offered them one year of credit monitoring and reporting services, through Equifax, at no cost to any affected patient.
At this time, there are no indications that the information has been used by an unauthorized individual. Nevertheless, the practice encourages its patients to closely monitor their credit and bank account activity and report any suspicious transactions.
Dermatology Associates of Tallahassee understands the inconvenience this incident may have posed on all affected patients and sincerely regrets that this situation has occurred. As part of its commitment to providing quality care, including the protection of its patients’ personal information, the practice implemented additional policies and procedures to further protect the privacy of its patients and secure their personal information.
For more information regarding this incident, please contact practice administrator, Mr. Brian Schaper, at (850) 877- 4134, ext. 1154.
Sadly, their notice does not explain what happened, how, or when. Nor does it explain what policies and procedures it has implemented as a result. Hopefully their letter to patients provided more details. If anyone obtains a copy, please send it to PHIprivacy.net.