Back in September, I noted an addition to HHS’s breach tool this way:
St John’s Episcopal Hospital in New York reported that its business associate, Emdeon, was involved in a breach that affected 566 patients. The date of the breach is listed as July 24, 2012. I hope that’s a typo, but in the absence of information…. The breach was coded as “theft, paper.”
I’m still not clear as to whether the reported year of breach was a typo, but this week’s additions to HHS’s breach tool indicate that another Emdeon client also reported a breach.
Service Employee International Union National Benefit Fund in New York reported that 800 members were affected by a breach involving Emdeon that was also coded as “theft, paper.” The date of the breach was reported as July 14, 2014. Emdeon is the SEIU’s electronic payment partner. There doesn’t seem to be any statement on the SEIU’s website about the incident.
So was there one breach or two? I’m inclined to think this was all one incident, but Emdeon did not respond to an inquiry from PHIprivacy.net seeking clarification and details.