In November of 2011, this site reported on a breach involving Lawrence Memorial Hospital in Kansas. Available information at the time indicated that 8,000 patients’ financial information might have been accessed. The online payment system was provided by Mid Continent Credit Services.
Yesterday, HHS updated their entry on the incident. Their records show that 8,275 patients were affected by the breach, which occurred between September 20, 2011 – October 28, 2011. According to OCR’s summary:
“The covered entity’s (CE), Lawrence Memorial Hospital, business associate (BA), performed a security update to the CE’s website that potentially allowed the impermissible disclosure of 8,275 individuals’ electronic protected health information (ePHI). The ePHI consisted of names, addresses, other demographic information, and credit card/bank account numbers. Upon discovering the breach, CE shut down its website, removed all identified cached pages containing ePHI, started actions to terminate the relationship with the BA, and updated its breach notification policy. CE also provided breach notification to affected individuals, HHS, and the media, and posted substitute notice on its website. It offered credit monitoring service to affected individuals. As a result of OCR’s investigation, CE finalized its new breach notification policy, updated its BA contracts, and re-trained staff on its privacy, security, and breach notification polices.”