HHS added 13 more breaches to its breach tool this week.
Let’s start with the breaches we already had some information about and indicate what new information can be gleaned from HHS’s entries:
- The Vitreo-Retinal Medical Group breach reportedly affected 1,837.
- The California Correctional Health Care Services breach affected 1,001 inmates.
- The Indiana Family & Social Services Administration breach. Interestingly, IFSSA did not report the involved Business Associate as being responsible for the breach although other coverage named RCR Technology Corporation (RCR) as the responsible BA.
- The Rocky Mountain Spine Clinic breach.
- The Cogent Healthcare breach due to M2ComSys’s firewall error.
- The Foundations Recovery Network breach affected 5,690 patients.
- The breach reported by counselor Janna Benkelman affected 1,500 patients.
- The Missouri Department of Social Services reported that its business associate, InfoCrossing, Inc. was responsible for a breach affecting 1,357 individuals between October 2011 and June 7 of this year. This appears to be the breach previously identified on this blog as the MO HealthNet breach. The state’s notice about the breach can be found here.
There was one other breach in the recent update that may (or may not) belong with the grouping above. According to HHS’s log, GEO Care, LLC in Florida reported that 710 patients were affected by a breach on April 16, 2013. The breach was coded as “Unauthorized Access/Disclosure,Desktop Computer.” I’m wondering if this might be the South Florida State Hospital breach reported previously on this blog.
Here are some breaches I hadn’t previously known about:
- Louisiana State University Health Care Services Division reported a breach that occurred on December 1, 2011. Yes, the log says 2011. HHS’s log does not indicate the date a breach was discovered, so it’s unclear from their entry whether LSUHCS only recently discovered this breach or had simply failed to report it when it happened. The breach, which HHS coded as ” Unauthorized Access/Disclosure,Desktop Computer,” reportedly affected 6,994 patients. The log entry does not appear to correspond to either of two previous breach reports covered on this blog. I have sent an e-mail to LSUHCS requesting more information on their report to HHS and they are looking into it.
- Brookdale University Hospital and Medical Center in New York reports that 2,700 patients had PHI on portable electronic device lost on May 24. I could not find any substitute notice for the breach and have e-mailed the center to request an explanation and details but have not received a response as of the time of this posting. This is Brookdale’s third incident to appear on HHS’s breach tool. The first, in August 2012, involved a business associate, Standard Register, and the paper records of 2,261 patients. The second, in September 2012, involved another business associate, Health Plus Amerigroup, and affected 28,187 patients whose PHI was disclosed to other facilities in error.
- Young Family Medicine Inc. in Ohio reported that 2,045 patients had PHI on laptop stolen on June 12. I cannot find any web site for the practice or substitute notice. Which raises another question: why are there so many breaches affecting more than 500 where I can’t find a substitute notice? Are they appearing in local media not indexed by Google, or are they disappearing too quickly before I can find them?
- Hancock OB/GYN in Indiana reported that 1,396 patients were affected by a breach that began November 9, 2011 and continued until June 17 of this year. A statement on the home page of their web site dated August 14 explains that
an employee at the practice had accessed physician notes in those patients’ medical records without a work-related reason for doing so. The physician notes included the patient’s name, date of service, medical record number and specific clinical information regarding the OB/GYN care provided. No financial or other identifying information was inappropriately accessed by the employee and no copies of the information were made during the inappropriate access.
Upon verifying incidents of this on June 17, 2013, the practice immediately began a thorough investigation, which was completed on or about July 31, 2013. The practice then cross-referenced those results with another practice database to retrieve the contact information needed to provide affected individuals with written notice. The practice’s investigation revealed that the employee had accessed the physician notes in 1,396 patient records out of curiosity during her employment from November 9, 2011 through June 17, 2013.
Hancock OB/GYN is committed to protecting patient confidentiality and therefore terminated the employee for violating the practice’s policies protecting patient privacy. The practice has notified affected patients of this incident in writing and has re-educated the remaining Hancock OB/GYN employees on its policy regarding access to and the appropriate use of patient information.
Hancock OB/GYN deeply regrets the actions of its former employee and wants to reassure its patients that privacy is a priority. The practice has established a toll-free information line for individuals who have additional questions about this incident. Those individuals can call 1-866-221-0150 between the hours of 9:00 AM to 7:00 PM, Monday through Friday.
The above is a useful example of a well-written breach notice. The only thing missing, I think, is some statement about hardening access controls or monitoring so that such improper access is detected promptly, if not prevented. Simply re-educating employees without implementing more monitoring is unlikely to be as efficient as a combination of both.
I will update this entry if and when I obtain more details on the breaches where we have little information.