Through its lawyers, Heraeus Incorporated notified the New Hampshire Attorney General’s Office on December 29 of a security breach.
According to the letter, the company noticed on November 18 that a steel cabinet that contained a safe with backup tapes was missing. The company believes (but cannot be sure) that the cabinet was discarded as part of a massive cleanup prior to building demolition. If the cabinet was discarded, it was sent to a transfer station, crushed, sent to Pennsylvania where it was crushed again and then buried in a landfill.
Approximately 514 people had personal information on the tapes, including names, addresses, Social Security Numbers, driver’s license numbers, financial account numbers, medical information, and other personal information.
Although this is not a huge PHI breach as far as I can tell, I include it on this site because it reminds us, once again, so that many non-HIPAA-covered entities may have various amounts of medical or health information in their files. When such entities have breaches, they do not have the same disclosure and notification requirements as HIPAA-covered entities.
Does it really matter whether your medical information was on a tape lost by a business vs. a pharmacy, assuming it’s the same information? Shouldn’t there be one set of notification requirements based, perhaps, on the type and sensitivity of information involved in a breach?