The following breaches were reported on HHS’s breach tool, but no media coverage or statements have been found to provide additional details. If you have additional information on any of these, please use the Comments section to let me know. Thomas Cristello, Chiropractor PC in New York reported that 914 patients had information on a portable…
Month: November 2014
More details emerge on Madison Street Provider Network breach
Back in September, PHIprivacy.net noted: 9News reports that Madison Street Provider Network, Inc., dba Omni Eye Specialists, Spivack Vision Center, Madison Street Surgery Center, Madison Street Anesthesia, and Madison Street Company Nurse Practitioner said they were a target of a data breach and will be notifying patients. Stay tuned, as there’s no notification on any web site(s) yet. The incident has now been added…
NYU Urology Associates notifies patients whose information was sent to a patient in March.
An incident recently added to HHS’s public breach tool involves NYU Urology Associates. According to the log entry, 835 patients were affected by a breach that occurred on February 19, 2014. I was able to locate a statement on NYU’s website about the incident: NYU LANGONE MEDICAL CENTER NOTIFIES PATIENTS OF DATA BREACH October 10,…
For NYC Health & Hospitals Corporation, 2011 wasn't a great year for data security, Part 2
In the process of investigating a previously-unknown 2011 breach involving NYC Health & Hospitals Corporation (HHC), I discovered that they had a third breach in 2011 that was also only recently discovered and disclosed. This third incident is not in HHS’s public database and won’t be, because it involves less than 500 patients. A statement…
For NYC Health & Hospitals Corporation, 2011 wasn't a great year for data security, Part 1
It seems that 2011 was not exactly a stellar year for the NYC Health & Hospitals Corporation (“HHC”) for data security. The first HHC incident was the 2011 breach involving the theft of backup tapes with information on 1.7 million patients. HHC did not incur any monetary penalties for that breach. The second incident, not…
Terminated employee continued to access Bon Secours' patients' billing information
When an employee is terminated, their login credentials to vendors’ databases with PHI must also be terminated. How often do you verify that it is actually being terminated properly? Bon Secours Kentucky notified 697 patients that a former employee had improperly accessed their information from a billing database maintained by Athena. In a statement uploaded to…