Seven Counties Services, Inc. in Kentucky notified HHS that 727 clients were affected by an incident on February 26, 2014 involving paper records. The incident was coded as “Improper Disposal, Unauthorized Access/Disclosure.” There’s no statement on the non-profit’s website, and PHIprivacy.net has emailed them to request details.
Southwest Virginia Physicians for Women in Virginia notified HHS that 568 patients were affected by a breach on January 1, 2014 that was coded as “Theft, Unauthorized Access/Disclosure” of paper records. I could not locate any web site or additional information online.
Burlington Northern Santa Fe Group Benefits Plan notified HHS that 507 members were impacted by a breach on September 17, 2014 that involved the loss of a portable electronic device. Again, I was unable to locate any additional details online.
Orange Community MRI in New Jersey notified HHS of a breach involving their business associate, Vcarve LLC, who does business as MD Manage. The breach tool entry indicates that 585 patients were affected by a breach on April 6, 2014 that involved “Unauthorized Access/Disclosure” of data on their “Network Server.”
What caught my eye was that in April 2014, Orange Community MRI was caught up with the Department of Justice over charges that they had been paying kickbacks to a number of physicians to get them to refer patients to Orange Community MRI. In May 2014, the Department of Justice issued a press release that recapped the prosecutions up to that date:
Ashokkumar Babaria, 64, of Moorestown, N.J., Orange MRI’s former medical director, has been ordered to forfeit more than $2 million in revenue from corrupt referrals. Chirag Patel, 38, of Warren, N.J., Orange MRI’s former executive director, awaits sentencing and has agreed to forfeit $89,180 in corrupt gains. In addition, 13 health care providers, including Mahesh Patel, have agreed to forfeit a total of $460,140 in illegal cash kickbacks. Two health care providers were convicted at trial and forfeiture has yet to be determined.
So while all that was going on, Orange Community MRI’s business associate had a breach? Were any of these patients’ records evidence in the kickback cases? Were the patient records accessed, acquired, or acquired and deleted? I’d ask Orange MRI, but they don’t seem to have a web site, and MDManage.com’s contact form doesn’t work and email to their info@ address bounces back as mailbox unavailable. Good luck to HHS investigating this one. Presumably, they have working contact information for them.