The public list of breaches reported to HHS under the HITECH Act was updated to add two entries. Both entries are associated with the same business associate: MSO of Puerto Rico. I do not see anything on the web sites of the covered entities or the business associate about the incident nor did I see any press release in any of the major media outlets I routinely check for breach-related news.
PMC Medicare Choice
State: New York
Business Associate Involved: MSO of Puerto Rico
Approx. # of Individuals Affected: 605
Date of Breach: 2/04/10
Type of Breach: Other
Location of Breached Information: Paper Records
MMM Health Care Inc.
State: New York
Business Associate Involved: MSO of Puerto Rico, Inc.
Approx. # of Individuals Affected: 1,907
Date of Breach: 2/04/10
Type of Breach: Other
Location of Breached Information: Paper Records
While it is encouraging to see OCR updating the site in a timely fashion, we still do not know what types of information were involved nor how the breach occurred. Did an insider steal records, were they destroyed insecurely, was there a burglary? And how can we evaluate the risk? Did the paper records contain SSN, credit card information, diagnoses, treatment codes, Medicare Identification Numbers, or what? HHS is receiving this information from the entities but the HITECH Act does not require HHS to make all of the details publicly available on their site. It merely requires that a list of breached entities be posted.
I have not yet received an answer to my follow-up questions to OCR about the shielding of private practitioner’s names and public records nature of these breach reports, so there is nothing new to report on that front other than that I consider this a very important issue that goes to the core of open records. As a matter of public policy and decision-making, we need to know more about what is going on so that we can learn from it and develop better strategies for protecting the privacy and security of patients’ records.