Four breaches were recently added to HHS’s breach tool that were not previously reported on this blog:
Howard L. Weinstein D.P.M. of Texas reported that 1,000 patients were notified after a laptop with their information was stolen on March 13. A statement on his website says that names, addresses, Social Security numbers, and medical information were on four computers stolen from their office on March 14. The burglars broke into another office four doors down and then smashed through five walls to get into their office, the practice explains. Note that Dr. Weinstein’s office says the data on the computers were encrypted.
Shaker Clinic in Ohio, a psychiatric care facility for adults and seniors, reported that 617 patients were notified of loss of paper records on February 18. There is no statement on their website at this time that provides any explanation of the incident and they did not respond to an email inquiry sent last week.
VGM Homelink in Iowa reported that 1,400 were affected by a breach involving their business associate Tri State Adjustments on February 28. On April 25, they posted a statement on their website:
HOMELINK, a Waterloo, Iowa-based provider network of ancillary health care services, has informed 1,400 patients nationwide that it has experienced a breach of personal information through one of its business associates.
The breach consisted of private medical information – excluding financial information and social security number – being incorrectly sent to the wrong patient as part of the billing process. HOMELINK has informed all affected patients of the incident and the corrective actions that were taken.
HOMELINK maintains patient information with the highest level of care and expects the same from its business associates. If you believe your information has been compromised as part of this incident, please contact HOMELINK Accreditation, Privacy and Compliance Officer, Rick Hibben, at 866-546-6893.
The City of Henderson in Kentucky notified HHS that 1,008 were affected by a breach that began or occurred on June 28, 2012 and that was discovered on March 3, 2014. The incident involved a business associate, Keystone Insurers Group. The city kindly provided PHIprivacy.net with a copy of the legal notice they posted in The Henderson Gleaner on May 9, 2014:
In 2012, the City of Henderson, Kentucky’s health benefit plan (“Plan”) began exploring the possibility of opening a health clinic for its employees and their dependents to try to reduce health plan costs, and began providing information to its broker to help with this process. On several occasions between January 23, 2013 and March 3, 2014, the broker shared data from the Plan with several health care providers (and one business associate of a provider) who were being considered as possible partners with the City in development of such a clinic. On March 11, 2014, the City learned that the data shared with these potential partners included its Plan Participants’ detailed individually identifiable health information.
The City has conducted an investigation and concluded that more health information was disclosed than was minimally necessary to obtain proposals for the health clinic, although there is no reason to believe the information was misused in any way. The information released to the broker and then to the providers included names of Plan participants, insurance ID numbers, addresses, gender, birthdate, and information about the treatment, diagnosis, prescriptions, expenses, providers, and workers compensation claims (if applicable) of Plan Participants.
The City has no reason to believe that your information has been misused or disclosed inappropriately by anyone who received it. All the recipients are required to comply with the federal Health Insurance Portability and Accountability Act (HIPAA) privacy law and protect the information they received. In addition, all of them have assured us that they have not forwarded the information to anyone else (other than the business associate, who forwarded the information to one of the providers). We have asked the recipients to destroy any copies of the information they may have had in their files. Nevertheless, in an abundance of caution, we are in the process of sending notification letters to those persons affected so that they may take any extra precautions that they might consider to be necessary.
The City is treating this matter very seriously and is working to ensure something like this does not happen again. It has put procedures in place to assure only the minimum amount of your health information is used, disclosed or requested for its future administrative needs, and it has asked its broker to provide us with assurances that its employees have received adequate training on all applicable HIPAA requirements. The safety and security of your health information are among the City’s and the Plan’s highest priorities.
Even though the City has no evidence that Plan Participant information has been misused, it encourages Plan Participants to review carefully all regular and electronic correspondence received from UMR (the company that processes the Plan’s health care claims) for unauthorized activity, such as claims paid out of the HRA that Participants do not recognize, or an explanation of benefits detailing treatment Participants did not receive. If you have other questions concerning your health information, please contact Dawn S. Kelsey, City Attorney, at 270-831-1200, City of Henderson, P.O. Box 716, Henderson, KY 42419-0716.