HHS updates breach tool, Part 2: it's news to me

Posted on by Dissent

Today’s update to HHS’s breach tool included a number of incidents that I had not known about:

  • Servicios Medicos Integrados de Fajardo in Puerto Rico reported that T & P Consulting, Inc. d/b/a Quantum Health Consulting reported lost device(s) with PHI on 10,000. The incident occurred on January 11, 2012, and I had already entered this in DataLossDB.org, except… that HHS has two entries for this breach, both dated January 11, 2012. The first one, already included in  HHS’s breach tool and DataLossDB.org, involved a report of a stolen laptop with information on 36,609. Today’s addition to the breach list refers to the loss of an electronic device with information on 10,000. Was more than one device involved in the incident?
  • Columbia University Medical Center and NewYork-Presbyterian Hospital reported that 4,929 patients had PHI on a stolen desktop computer. The theft from a locked office occurred sometime between October 12, 2012 and October 15, 2012. I was able to find a privacy alert still on their website and a press release.
  • CenterLight Healthcare in New York reported that 642 patients had PHI disclosed in an email incident on January 27, 2012. I was unable to locate additional information on this one.
  • Wyatt Dental Group in Louisiana reported what sounds like an insider breach affecting 10,271 patients. According to the log entry, the breach occurred between November 4, 2011 and April 15, 2012 and involved ,”Theft, Unauthorized Access/Disclosure”,Electronic Medical Record.” I was able to locate their attorneys’ report with the Maryland Attorney General’s Office, which confirms this was an insider breach. The dental group learned of it on July 19, 2012 from the Louisiana State Police.
  • The Arkansas Department of Finance and Administration, Employee Benefits Division reported that 7,039 employees were affected by a breach at Health Advantage that occurred in October 2012. The incident involved paper records, and Health Advantage separately reported the breach as affecting 2,863. In addition to Arkansas DFA, Baptist Health System in Arkansas reported that 811 of their patients were affected by the incident.
  • Titus Regional Medical Center in Texas reported that 5,700 patients affected by an incident involving a laptop on March 27, 2012. In checking my records, I see that Titus Regional Medical Center had reported a theft on March 29, 2012 that affected 500 patients. That report does not indicate the location of the data. This newly added report describes the incident as “loss, other” of a laptop, so I’m not sure if these two reports are part of the same incident or not, or if one of them refers to the laptop that may have fallen off a fender.
  • The University of New Mexico Health Sciences Center reported that 2,365 patients had PHI on a server that was hacked on May 21, 2012.  I haven’t found any additional details on this one yet.
  • Pousson Family Dentistry in Louisiana reported that 1,400 patients – including Dr. Pousson himself – had PHI on a laptop stolen on December 3, 2012. I was able to locate a copy of their notification letter dated December 18, 2012.
  • Original Medicine Acupuncture & Wellness, LLC of New Mexico reported that 540 patients had PHI on laptops stolen in an office burglary on September 7, 2012. I was able to locate a copy of their media notice.
  • The Visiting Nurse Services of Iowa reported that 1,298 patients had PHI on stolen paper records. I was unable to locate any additional details.
  • The University of Nevada School of Medicine notified 1,483 patients whose PHI were on records that were accidentally disposed of on October 11, 2012 instead of being shredded. I was able to locate their notice about the breach.
  • The County of San Bernardino Department of Public Health in California reported that 1,370 patients had PHI on records involved in a breach that occurred between September 28, 2012 to September 30, 2012 involving “Unauthorized Access/Disclosure,Paper.” I was unable to locate any notice for this breach.
  • AccentCare Home Health of California, Inc.  reported 1,000, patients had PHI in a breach involving e-mail that occurred in April 2012. I was unable to find any details on this breach, either.
  • Molalla Family Dental in Oregon reported that 4,354 patients had PHI involved in a hacking incident on May 17, 2012. I was able to locate some media coverage of the breach and this reference to a “back-door portal.”
  • Rob Meaglia, DDS reported 1,400 patients had PHI on a desktop computer stolen during an office burglary on December 16. I’ll have more to say about this incident in a separate post this week, but here’s his notification letter to patients.
  • The Wyoming Department Of Health reported that 11,935 had PHI involved in an October 16, 2013 incident involving “Unauthorized Access/Disclosure,Network Server.” I was able to locate their notice on their website that explained that this was an exposure incident affecting the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) Program.
  • Terrell County Health Department in Georgia reported that 18,000 had PHI involved in an incident that occurred January 9, 2012 to April 17, 2012 involving “Unauthorized Access/Disclosure,Network Server.” I’ve been unable to find any details on this breach, but with 18,000 affected, I’m surprised that I never saw this in the news.
  • Florida Healthy Kids Corporation reported that a breach involving DentaQuest of Florida, LLC affected 3,667. The breach occurred November 1, 2012 – December 20, 2012 and involved “Unauthorized Access/Disclosure,Paper.”  I was unable to locate any documentation on the incident.
  • Coastal Home Respiratory, LLP in Georgia reported that 3,440 patients had their data stolen on October 4, 2012. Well, I think it was stolen. The HHS log reports it as “Theft,Other” but I can find no documentation on the incident.
  • Miami Beach Healthcare Group LTD dba Aventura Hospital and Medical Center in Florida reported 2,560 patients had PHI stolen from their EMR between January 1, 2012 and September 12, 2012.  Here is the hospital’s statement. I’m surprised there wasn’t more coverage of this or that I missed this one.
  • Baptist Health System in Alabama reported that 1,655 had PHI on paper records disposed of improperly on March 8, 2012.
Category: Health Data