HHS’s public breach tool continues to provide evidence of breaches involving patient information, but unfortunately, we often don’t know the details. The following incidents were recorded on their breach tool, but I have been unable to find any public notices (substitute notices or press releases) or web site notifications. Indeed, some of the practitioners listed…
Irish Water confirms possible breach of data protection
From RTÉ: Irish Water has confirmed a possible breach of data protection may have occurred after it sent information packs with the wrong names to over 6,000 customers. The water company said it occurred with packs sent to the owners of multiple properties. The company has contacted the customers involved. They also alerted the Data…
Cleaning up after password dumps; Google forces reset of leaked Gmail login passwords
Media reports yesterday suggested that Gmail login data for 5 million accounts had been leaked online, but there was no evidence that Google itself had been hacked. Here is Google’s statement in response to the incident: One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the…
Security lapse by Diamond Computing exposed Diatherix patients' information on the Internet for 22 months
Diatherix Laboratories in Alabama posted this notice on their site about a breach involving Diamond Computing Company: On August 7, 2014, the Compliance Officer of Diatherix Laboratories, Inc. notified 7,016 individuals across the United States that their protected health information (PHI) may have been accessed in connection with a security lapse. Background Information Diatherix provides clinical laboratory testing…
Central Utah Clinic reports server containing 31,677 patients' information was breached in 2012
On August 7, Central Utah Clinic, P.C. posted a breach notification on their web site: PUBLIC NOTICE: Potential Central Utah Clinic HIPAA Breach PROVO, Utah. (Aug. 7, 2014) — Central Utah Clinic is committed to the protection of patient privacy and is notifying 31,677 patients, by letter, of a potential personal health information breach. On…
Administrative law judge denies LabMD's motion to sanction FTC
As I noted on August 28, the FTC had responded (pdf) to LabMD’s motion for sanctions (pdf) in FTC v. LabMD. On September 5, Administrative Law Judge Chappell denied LabMD’s motion. After summarizing the allegations and the FTC’s response, Judge Chappell writes: To support its Motion, Respondent asserts as fact numerous matters that are disputed by Complaint Counsel….