DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

VA: Fairfax County Health notifies 1,499 patients after subcontractor error exposes info online

Posted on December 15, 2013 by Dissent

Jennifer van der Kleut reports:

The Fairfax County Health Department has mailed letters to 1,499 clients of the Bailey’s Health Center, located in Falls Church, to inform them of an unauthorized disclosure of some protected health information.

View the letter to Bailey’s Health Center clients.

This is one of those situations where it really pays to have Business Associate contracts in place where everyone understands their responsibilities to notify the covered entity of breaches. According to the county’s letter, Fairfax County contracts with Molina Healthcare, Inc. to manage the Bailey’s Health Center, which is part of the Fairfax County Health Department’s CHCN program. Molina then subcontracts with a company named Health Business Systems, Inc., which maintains a pharmacy database and provides prescription services to Bailey’s Health Center patients.

On Oct. 18, HBS notified Molina that a computer file containing pharmaceutical records was “inadvertently left on an unsecured computer server” and accessed by three separate entities on four occasions between Sept. 9 and Oct. 3. Molina notified the Fairfax County Health Department on Oct. 24.

Human error breaches are common. To their credit, HBS detected the breach itself. The county’s letter states:

The breach was discovered through a routine forensic audit performed by HBS in the normal course of business. The error was discovered on October 4, 2013; all of the compromised files containing personal patient information were moved to a secured server on October 7, 2013.

But why, then, did it take weeks more for the county to be notified? If HBS discovered the breach on Oct. 4, why did it take until October 18 for them to notify Molina? And why did it take Molina another 6 days to notify the county and the county another month and a half to start notifying patients?  Is this a reasonable timeframe or is there room for improvement here?

The exposed PHI included name and address of the patient; pharmacy identification number of the patient; medication name and dosage; description of medication National Drug Code (NDC); payment information; prescriber’s name and address; and some patient social security numbers.

The county’s letter provides plain language suggestions for patients as to how to protect themselves and offers them a year of credit monitoring with AllClear ID. It also reassures patients that they are taking steps to try to prevent this from happening again:

Although the County has in place multiple administrative requirements needed to protect your health information in compliance with HIPAA, this incident has lead us to review our current contract language and requirements related to the handling of pharmaceutical records to prevent such occurrences in the future. We plan to take further steps to safeguard our patient care records including a review of existing databases in order to confirm that all private patient information is secured on encrypted servers pursuant to Fairfax County Policy. Fairfax County will continue to take all necessary steps to protect the personal information of patients of the CHCN.

Overall, I’m pretty impressed with the breach response, other, perhaps, than how long it took. From day of discovery (October 4) to notification letter (December 11) was more than the 60 days proscribed by HITECH.  I hope Fairfax’s review considers whether this could have been handled more quickly.

If you are a patient who was affected by this breach, are you satisfied with the county’s notification to you and their handling of this breach?

Related posts:

  • More on today's HHS update: newly disclosed incidents
  • Updating: CaptureRx incident impacted more than 2.4 million. List of Entities.
Category: Health Data

Post navigation

← Pointer: Lanap and Implant Center breach
Ohio Department of Job and Family Services warns of possible information leak after computer stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.