Updates to HHS breach tool

HHS added a number of breaches to its public breach tool yesterday, including one from 2008.

Here are the ones we already knew something about, linked to previous coverage on this blog:

• Phoebe Putney Memorial Hospital
• Coulee Medical Center reported that 2,500 patients had their PHI improperly shared by the physician
• University of Pennsylvania Health System reported that the error by RevSpring affected 3,000 (more than what was reported previously)
• North Carolina Department of Health and Human Services
• Southwest General Health Center notified 953 patients, not 480 as reported in the media at the time. I’m not sure why the HHS entry shows the breach occurred between April and October and suspect the hospital was reporting the dates of patient visits rather than the date the binder went missing.
• St. Joseph Health System
• RGH Enterprises  d/b/a Edgepark Medical Supplies notified 4,230 patients.
• Complete Medical Homecare notified 1,700 patients.
• Robert Neves, M.D. Curiously, this 2011 incident had been posted to their breach tool back in 2011. Why that entry was removed and replaced more recently with the same information is unclear.

The following breaches were not previously reported on this blog. Of concern, this is the first time I’ve been unable to find ANY information on so many breaches reported to HHS. I’ve sent email inquiries to some of the covered entities below and hope to have more details at some point, so do check back for updates:

• 101 Family Medical Group in California reported a laptop theft involving business associate Phreesia on November 23, 2013. The laptop reportedly contained information on 2,500 patients. There is no statement on their website and I can find no media coverage of the incident.
• Tri-Lakes Medical Center in Mississippi notified 1,489 patients after what might be a hacking incident on September 20, 2013. There is no statement on their website at this time and I can find no media coverage, either.
• Virginia  Dept. of Medical Assistance Services notified 25,513 clients of a breach involving Virginia Premier Health Plan (VPHP) that occurred in November. The breach was coded as “Unauthorized Access/Disclosure, Other”, Paper. A legal (substitute) notice appeared on HamptonRoads.com on January 23, but is no longer available.
• Cook County Health & Hospitals System in Illinois reported that 22,511 were notified of a breach involving e-mail that occurred on November 12.
• The University of Texas MD Anderson Cancer Center in Texas reported that 3,598 were notified of an incident on December 2 involving a portable electronic device.  The missing thumb drive is believed to contain “some patient information, including first and last names, medical record numbers, dates of birth (for a very small number of patients), diagnoses, and treatment and/or research information relating to treatment of infections. The USB thumb drive contained no Social Security numbers or other financial information.” Their notification can be found on their website, here.
• Network Pharmacy Knoxville in Tennessee reported that 9,602 patients had data on laptop that was stolen on November 18. A cached copy of a legal notice that appeared on January 20 in the Times Free Press reads:

LEGAL NOTICE Network Pharmacy, Knoxville Reports Possible Breach of Information

Officials at Network Pharmacy, Knoxville have reported a possible breach of patient information due to a stolen laptop that was not encrypted. The information on this laptop included patient names, dates of birth and personal medical information. Network Pharmacy, Knoxville has begun an immediate investigation of the incident and security measures have been revised to prevent future incidents of this nature. The company believes there is low risk of this information being used inappropriately; however, we understand any concern of possible unauthorized use of personal information. If you have any questions regarding this incident, you may contact us by using the toll-free number 1-888-568-8578. When using the toll-free number, please indicate that you are calling in regards to the breach of information that occurred at Network Pharmacy, Knoxville.

• Health Dimensions in Michigan reported that 5,370 patients were notified of an incident on November 2nd involving “Theft,Network Server.”
• Triple-S Salud in Puerto Rico and Triple-C, Inc. reported that 8,000 were affected by a breach in October 2008 involving “Theft, Unauthorized Access/Disclosure”,Network Server.” I have no idea what this is about, but note Triple-S Salud has had other very large breaches since that time. I also have no idea why this is even on HHS’s public breach tool if it occurred in 2008 – before HITECH –  unless the breach was only first discovered after HITECH went into effect.