And yet 9 more breaches added to HHS's breach tool (Update2)

Posted on by Dissent

HHS added 9 more breach reports to its public breach tool yesterday.

Here’s a recap of the ones we already knew about:

  1. The UnityPoint Health breach was added to the list, although the third party company that provided the employee to UnityPoint was not disclosed in their report. In a statement sent to PHIprivacy.net today, a UnityPoint Health spokesperson that they have new information to share on the breach. So was this another case of an insider breach for tax refund fraud? We don’t know.
  2. The Hope Community Resources breach was reported to HHS as affecting 1,556 patients. Their press statement had indicated 3,700, and it’s not clear which is the more recent or accurate figure.

For the seven breaches previously unreported on this site:

Paul G. Klein, DPM, of New Jersey reported 2,500 patients had PHI on a laptop that was stolen on October 1. There is no statement on his web site and I’ve uncovered nothing about the incident via a Google search. There doesn’t even seem to be a contact email address on the web site, so I haven’t sent any inquiry. Anyone care to bet whether the laptop was stolen from the office or off-premises?

The Hospital for Special Surgery in New York reported that 537 patients had PHI stolen on March 19, although it’s not clear from HHS’s log whether the data were stolen from a computer or if the computer itself was stolen. There was also reference to “paper” format. I could find nothing on their site to clarify the breach and emailed HSS yesterday to request a copy of their substitute notice or press release on the incident. I’ll update this if/when I get a response.

Mount Sinai Medical Center in New York reported two breaches that occurred in August of this year. The first, which occurred on August 1, seemed to have involved the loss of a portable electronic device with PHI on 610 patients. The second breach, which occurred on August 6, involved the improper disposal of 1,586 patients’ paper records. Again I could find nothing on their site, and emailed MSMC yesterday to request clarification.  In researching the above, I did find a media report from August 11, 2013, but it appears to be a third breach, given the timeframe of employment and alleged crime. Because there are likely less than 500 patients affected, this breach would not have appeared on the public breach tool, but the NY Post had reported:

A former employee of an Upper East Side hospital used a patient’s credit-card information for an online shopping purchase from Saks, according to a Criminal Court complaint.

Tamera Jordan, 35, was arrested last Monday for stealing a patient’s American Express card info from a computer at the Hospital for Special Surgery, where she worked back in February, sources said.

Jordan then used the victim’s information to make an online purchase for about $600 from Saks Fifth Avenue on March 2, court records claim.

Jordan was charged with grand larceny and identity theft, records state.

Superior HealthPlan, Inc in Texas reported that 6,284 patients were affected by a breach on October 4 that involved paper records. I was able to locate a notice on their site about the incident:

Posted 

On October 9, 2013, Superior HealthPlan (Superior) learned of an incident that resulted in a breach of Protected Health Information (PHI).  A breach means that PHI was mistakenly shared with another person without the member’s approval.

The Health and Human Services Commission (HHSC) recently issued new ID numbers to all CHIP members.  We sent a new Superior ID card with the new ID number to CHIP members.  On October 4, 2013, some Superior CHIP ID cards were accidently sent to the wrong address. It may have been received by another person.   This was caused by an error in our computer system. The member’s name and CHIP ID number were included on the ID card that was sent to the wrong address.  It also included the name and phone number of the member’s doctor and effective date with Superior.

SUPERIOR HAS NOTIFIED MEMBERS AFFECTED BY THIS INCIDENT. If you have not received a letter from Superior informing you of this incident, you were not affected.

We regret this problem and wanted to make you aware of it as soon as possible. Please take the following steps to protect your information.

  • Tell your Doctor that your ID card was sent to another person by mistake.  This will alert them to check patient identity before providing services.
  • Check any statements received from providers to confirm the services noted.
  • Immediately call Superior to report any concerns about someone else using your CHIP ID card.
  • Visit www.SuperiorHealthPlan.com to learn more about what can be done if your PHI has been disclosed.

Superior has taken the following actions to correct this error and protect your health information.

  • We sent a new CHIP ID cards to the correct address.
  • We fixed the error in our computer system to make sure it does not happen again.
  • We are working to get the CHIP ID cards back that were mailed to the wrong address.
  • We are contacting your Doctor to let them know we mailed your new CHIP ID card to the wrong address. We will also tell them it may have been received by another person.
  • We have reported this issue to HHSC.
  • We will send you a notice each time a claim is paid for you so you can confirm the service was received. We will do this for a 12 month period.
  • We will provide you with identity theft protection for one year, if requested. Please call Member Services to learn more about this service.

Please contact Superior with any questions.

Superior HealthPlan
ATTN:  Compliance Dept.
2100 S. IH-35, Ste. 200
Austin, Texas  78704

CHIP: 1-800-783-5386
CHIP RSA: 1-800-820-568

Group Health Cooperative in Washington reported that 1,015 patients had PHI involved in an incident on September 16th involving paper records. I was unable to find any statement or documentation concerning the breach online and have emailed them for a statement. [Update1: Group Health  kindly provided PHIprivacy.net with a copy of the patient notification. It reads, in part:

 On September 16, 2013, we sent letters informing some patients with heart disease or diabetes about a variety of Group Health resources that are available to them. On September 23, 2013, we discovered that the Group Health member identification number and chronic condition (heart disease and/or diabetes) was mistakenly included with the name and address on the envelope. No other personal information was disclosed. This happened because an error in processing the patient information into each letter (called mail merge) caused too much information to go into the address section. Because of this error, we’re reviewing our process and taking steps to make sure something like this does not happen again.

Despite the low risk of identity theft from this incident, GHC offered those affected Kroll Advisory Solutions ID TheftSmartTM  program for one year at no cost.

Rose Medical Center in Colorado CO reported that 606 patients had PHI on paper records that were improperly disposed of between June 28 and July 16th, I e-mailed them for more details but have not yet received a reply. (Update2: They kindly sent an image of the substitute notice that appeared in the Denver Post on October 16, but which is no longer available online. According to the notice, the breach was discovered on August 19, and the records contained patients’ names, addresses, dates of birth, SSN, insurance information, physician name, and next of kin contact information.)

Category: Health Data