Here’s a breach that was actually disclosed in June, but first was posted to HHS in July. Kudos to HIPAAJournal who found their statement on their website when my old eyes missed the small print. You can read HIPAAJournal’s coverage here.
The following is from Midland Memorial Hospital’s statement concerning a breach that impacted 1,468 patients:
MIDLAND, TX – June 7, 2016 – Today, Midland Memorial Hospital announced that it is currently investigating a security incident involving certain patients’ personal information. The hospital is providing notice to individuals who may have been affected by the incident and offering free credit monitoring and identity protection services to those patients whose Social Security numbers were included in the records. The hospital regrets any inconvenience or concern this incident may cause.
On April 8, 2016, hospital representatives discovered that Mario M. Gross, M.D., a physician who previously had privileges at the hospital and was formerly employed by Premier Physicians, left patient information at a private residence, causing the information to be accessible to certain members of the public for a limited period of time. Upon learning of the situation, hospital representatives promptly secured the patient records and initiated an internal investigation to determine the specific patients who were affected and the personal information that was contained in those records.
Based on this review, the hospital believes that the patient records may have contained patients’ first and last names, home addresses and certain health information, including dates of birth, Account Numbers/Medical Record Unit Numbers (MRUN), diagnoses, medications, procedures and physicians’ notes. The records may have also contained some patients’ Social Security numbers as well as Medicare and/or Medicaid numbers. Currently, the hospital has no evidence that any of the information has been used inappropriately.
Midland Memorial Hospital recognizes the importance of protecting personal information and is committed to taking steps to prevent this type of incident from occurring again in the future. The hospital has or will be reviewing or modifying its policies and procedures to prevent future incidents, educating its medical staff about the incident and tasking them with reviewing and updating their own controls over patient records, and reminding its workforce about the rules and procedures for protecting patient records.
Midland Memorial Hospital is proactively reaching out to impacted patients to provide guidance on how they can protect themselves. More information for impacted patients is available on the hospital’s website: www.midland-memorial.com/securityupdate. Impacted patients with questions should call 1-844-305-8390, 7 a.m. – 4 p.m. CST, Monday-Friday.
[…]
FAQs
What happened?
On April 8, 2016, hospital representatives discovered that Mario M. Gross, M.D., a physician who formerly had privileges at the hospital and was formerly employed by Premier Physicians, left patient information in his private residence, causing the information to be accessible to certain members of the public for a limited period of time. Upon learning of the situation, we promptly secured the patient records and initiated an internal investigation to determine the specific patients who were affected and the personal information that was contained in those records. Currently, we have no evidence that any of the information has been used inappropriately.
Who is impacted?
The records contained information relating to certain patients, and the hospital sent notification letters in the mail to impacted patients on June 7, 2016.
What information may have been compromised?
The hospital believes that the patient records may have contained patients’ first and last names, home addresses and certain health information, including dates of birth, Account Numbers/Medical Record Unit Numbers (MRUN), diagnoses, medications, procedures and physicians’ notes. The records may have also contained some patients’ Social Security numbers as well as Medicare and/or Medicaid numbers.
What have you done to address this incident?
Upon learning of the situation, hospital representatives promptly secured the patient records and initiated an internal investigation to determine the specific patients who were affected and the personal information that was contained in those records. Moving forward, we are committed to taking steps to prevent this type of incident from occurring again in the future. We have or will be reviewing or modifying our policies and procedures to prevent future incidents, educating our medical staff about the incident and tasking them with reviewing and updating their own controls over patient records and reminding our workforce about the rules and procedures for protecting patient records.
What are you going to do to help patients who are impacted?
We are proactively reaching out to impacted patients to provide guidance on how they can protect themselves. The hospital is offering free credit monitoring and identity protection services to those patients whose Social Security numbers were included in the records. Safeguarding personal information is a top priority at Midland Memorial Hospital, and we sincerely regret any inconvenience or concern this incident may cause our patients.
UPDATE: Dr. Gross was also affiliated with Midland Women’s Clinic, who issued their own statement and also reported the incident to HHS. Their report to HHS, added to HHS’s breach tool in July although it was submitted in June, indicated that 717 patients were impacted: