Fairfax County, Virginia issued the following release yesterday about a breach that does not appear on HHS’s public breach tool and that was not previously known to this site. They say a total of 595 individuals were affected, but the number whose PHI were involved was not specified:
Since a 2012 unauthorized data release by the third party vendor, Meridian, managing its multi-function devices used for scanning, faxing and printing documents, Fairfax County Government has contacted, or attempted to contact, individuals impacted by the disclosure of electronic protected health information (ePHI) and personally identifiable information (PII) exposed to the Internet.
Notification letters have been mailed to all with available contact information. This notice is being published to locate current contact information for:
- 47 individuals whose PII was exposed.
- 33 individuals whose ePHI was exposed.
In May 2014, Fairfax County Government discovered that data from multi-function devices was exported by a county contractor, Meridian, from an on-site county server to an Internet-accessible server owned and maintained externally by Meridian. This unauthorized export occurred in October 2012 by a Meridian technician responsible for supporting these multi-function devices and systems.
Fairfax County takes the circumstances surrounding this breach of personal and medical information very seriously and, upon discovering the potential data exposure, immediately took steps for remediation, mitigated further exposure and enforced security and data requirements with the vendor.
The export included a limited collection of documents that had been scanned on these multi-function devices by county personnel between approximately June 2010 and October 2012 and rejected by the system due to an error. The documents exposed on Meridian’s server included PII, such as Social Security numbers, driver’s license numbers and/or financial account numbers, as well as ePHI, on county employees and other individuals.
At Fairfax County’s request, Meridian agreed to notify all impacted individuals and provide free credit monitoring services. As a precautionary measure to safeguard an individual’s information from potential misuse, Meridian has partnered with Equifax to provide its 3-in-1 Alerts identity theft protection product to an impacted individual for one year at no charge.
Individuals who would like more information about this specific exposure of information may contact Meridian at:
- Meridian
5775 General Washington Drive
Alexandria, VA 22312
Phone: 571-282-2449, TTY 711
Individuals who require additional information concerning Health Insurance Portability and Accountability Act (HIPAA) patient rights may contact:
- Fairfax County Government HIPAA Compliance Program
12000 Government Center Parkway, Suite 527, Fairfax, VA 22035
Phone: 703-324-4136, TTY 703-968-0217
infosec@fairfaxcounty.gov
and/or
- Secretary of the Federal Department of Health and Human Services (HHS)
Office for Civil Rights, Region III
U.S. Department of Health and Human Services
150 S. Independence Mall West, Suite 372, Philadelphia, PA 19106-3499
Phone: 215-861-4441, TTY 215-861-4440