DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IU Health Arnett Hospital notified 30,000 of missing or stolen portable storage device

Posted on January 8, 2016 by Dissent

First the statement from Indiana University Health Arnett Hospital from December 31:

IU Health Arnett is committed to maintaining the privacy and security of personal information provided to us. Regrettably, this notice concerns an incident involving some of that information.

On November 20, 2015, we learned that an unencrypted portable storage device was missing from the Emergency Department, and an ongoing search continues.  We immediately began an investigation and determined that the device contained spreadsheets with limited patient information from Emergency Department visits that occurred between November 1, 2014 and November 20, 2015.  The spreadsheets may have included patients’ names, dates of birth, ages, home telephone numbers, medical record numbers, dates of service, diagnoses and treating physicians.  The spreadsheets did not contain any Social Security numbers, financial information, or medical records and patient care will not be affected.  We are continuing to search for the device but are informing you in the event we are unable to locate it.

This incident did not affect all IU Health Arnett patients; only those treated in the Emergency Department between November 1, 2014 and November 20, 2015.

IU Health Arnett has no reason to believe the information on this device has been improperly accessed or used; however, we sent letters to affected patients on December 31, 2015.  If you believe you are affected but do not receive a letter by January 15, 2016, please call 1-888-653-5244, Monday through Friday between 9:00 a.m. and 9:00 p.m. Eastern Time.

We apologize for any inconvenience this may cause our patients.  IU Health Arnett takes very seriously its obligation to maintain patient information secure, and we appreciate the trust our patients place in us.  We are taking steps to enhance the protection of portable storage devices and are reviewing policies and procedures to minimize the chance of such an incident occurring in the future.

This is not their first reported breach. They reported one in May 2013, also involving Arnett, and one in 2012 involving Goshen. Then there was an earlier 2011 incident involving the School of Medicine, and another 2011 incident involving the School of Optometry. If you check HIPAA Helper, you’ll find a lot of entries, but many of them appear to be different agencies looking at the same incident, or individual or small-N complaints.

For the current incident, WBAA reports that 30,000 patients were notified.

So, will the FTC open an investigation? Isn’t the failure to adopt industry standards grounds for an enforcement action these days?

Category: Breach IncidentsHealth Data

Post navigation

← Hacked OPM won’t cough up documents on mega-breach – claim
FTC e-mail gaffe reveals 600 attendees’ email addresses before privacy conference →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ireland’s Data Protection Commission publishes 2024 Annual Report
  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.
  • Runsafe report: Medical device cyberattacks threaten patient care, strain budgets, top concern for healthcare sector
  • Ryuk ransomware’s initial access expert extradited to the U.S. from Ukraine
  • Alleged Geisinger hacker will defend himself pro se.
  • Tallahassee Memorial Healthcare reveals it was also impacted by Cerner/Legacy Oracle cyberattack
  • Hospital cyberattack investigation complete, no formal review needed (1)
  • Largest Ever Seizure of Funds Related to Crypto Confidence Scams
  • IMPACT: 170 patients harmed as a result of Qilin’s ransomware attack on NHS vendor Synnovis
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data
  • DOJ Seeks More Time on Tower Dumps
  • Your household smart products must respect your privacy – including your air fryer
  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.