Occasionally I just pop a different search string into Google to see if it reveals any breaches I didn’t know about. Here are three breaches I stumbled across, none of which seem to have been listed on HHS’s breach tool:
The first find was a vendor breach affecting Mission Hospital that they disclosed to patients in September 2012. The hospital states that they were notified by someone that he had found a flash drive in his garage and found that it contained patient information. Although they do not state so specifically, I assume he plugged it into a computer, realized that the data were from Mission Hospital and called them to alert them. Their investigation revealed that an employee of an unnamed transcription service had lost the drive. They did not explain how it is that the employee or contractor either never realized the drive was lost or never notified them of the loss themselves.
Although the breach notification was in September 2012, the breach was never listed on HHS’s breach tool. Although it’s possible that fewer than 500 patients were affected, it’s also possible that because the data involved patients who received care at Mission Hospital between the dates of September 2008 and November 2008 and the device was used by a transcription service, the drive may have been lost years four ago – before HITECH went into effect.
This is a somewhat scary breach as unencrypted sensitive information was just lying around on a drive – possibly for years – and the hospital did not know and would not have known had not the individual who found it contacted them.
I also stumbled across an undated breach notice involving Mid America Health:
Mid America Health, Inc. has discovered a potential data breach that may result in the compromise of private information for a number of Maryland residents. The limited information that is potentially compromised includes names, dates of birth, social security numbers, residential facility names, and digital oral x-ray images. It is known that the breach occurred as a result of a theft of a laptop computer containing such information. Since the investigation is ongoing, the State’s Attorney’s office has asked that specifics of the case be withheld until they have concluded their investigation. At the moment, the impact this event may cause is still unclear. However, we believe that the risk of harm to the individuals potentially affected is low because such information was password protected.
We are making all potentially affected individuals aware of the steps they should take to guard against potential harm resulting from this incident. In addition, Mid America Health, Inc. will offer one year of free credit monitoring for any affected individual who wishes to enroll in a program for further protection of their private information. Individuals and their families will be able to accept this offer and enroll in the program for up to 90 days following the date on their letter.
[…]
Their name does not appear on Maryland’s public web site of breach notifications received, however. Not for 2012, nor 2011, nor 2010. So when did it occur?
The third find was a breach notice involving King Drug:
King Drug & Home Care has mailed letters to 13,619 clients regarding a potential breach of their protected health information.
The breach occurred on or around November 19, 2010 and was discovered on November 23, 2010.
The potential data breach was discovered by the Director of Information Systems when a portable electronic hard drive device was reportedly misplaced by an employee. Upon learning of the incident, a thorough search ensued, but the device was never located. The agency believes the device is permanently lost and probably was discarded in the trash and ultimately buried in the landfill based on the involved employee’s activities during the day of occurrence. The breach occurred after files had been downloaded to a portable hard drive as part of the archiving of files from an older electronic filing system that was being replaced with a newer system. The data contained on the device encompassed the time period July 30th, 2009 and older.
Client information since July 30th, 2009 was not included in the transfer of files. Information may have included: client’s name, date of service, medical record number, account number, Social Security number, race, insurance carrier(s) & number(s), address, phone number, sex, date of birth, diagnosis, allergies if any, initial referral form, patient assessment/plan of care, physician orders and/or delivery ticket information. Pharmacy client records were NOT included in this breach of information incident.
The Secretary of the Department of Health and Human Services has been notified by the agency of the incident. The agencies have reviewed all of our electronic security policies and procedures and have made a few revisions accordingly; however, this incident occurred due to one employee’s actions, poor judgment and not following existing agency policies.
[…]
It’s not clear to me why this breach does not show up on HHS’s breach tool.
And I wonder how many other breach reports are out there on the Internet that we still don’t know about.