Comments Off

By Dissent, May 17, 2013 6:13 pm

HHS added 13 more incidents to its breach tool today.  Six of them have been reportedly previously on this blog:

• Hope Hospice
• IHC Health Services, Inc. dba Intermountain Life Flight. Of note, they reported that that the breach began on October 12, 2009. That’s a long time to go undetected.
• El Centro Regional Medical Center reported that 189,489 patients were affected by their incident.
• Lutheran Social Services of South Central PA
• Arizona Counseling & Treatment Services, LLC reported that 3,800 were affected by their incident.
• Indiana University Health Arnett

The following are incidents reported to HHS not previously covered on this blog:

Public Health – Seattle & King County in Washington reported that 750 individuals were affected by a breach on March 7 involving the improper disposal of paper records.  I was able to track down a notice on their web site that indicated that a substitute custodian employed by the building owner at Downtown Public Health Center disposed of some clients’ protected health information in a way that did not follow proper procedure. Although the agency does not believe anyone saw or obtained the papers, they contained the patients’ names, dates of birth, medical condition or treatment, phone number, medical record number, appointment date, and address.

Orthopedics & Adult Reconstructive Surgery in Texas reported that their business associate, AssuranceMD (formerly known as Harbor Group) lost a portable electronic device sometime during the first half of March. The device contained information on 22,000 patients.

Curiously, in researching the report, I came across a fragment of a May 6, 2013 classified notice. All that remains of it is:

If you have been a patient of Andrew F. Brooker, M.D. and/or Orthopedics & Adult Reconstructive Surgery you are hereby notified that a HIPAA violation may have occurred in Philadelphia, Pennsylvania when the medical records on hard drive were being converted to an electronic medical record system pursuant to recent statutory regulations. If you have any questions or concerns please feel free to c…

Whether that notice is in any way connected to the breach report to HHS, well, I have no idea. I can find no substitute notice on AssuranceMD’s web site, and can’t even find a web site for Orthopedics & Adult Reconstructive Surgery in Texas.  This is where, again, it would be very helpful if HHS posted breach reports publicly like a number of states do.

Delta Dental of Pennsylvania reported that their business associate, ZDI, suffered a breach involving the loss of paper records for 14,829 patients. The breach occurred on March 20. I was unable to find any notice on Delta Dental’s web site, and was unable to find any site for ZDI. An email sent to Delta Dental received no response as of the time of this posting. (See update on this breach here).

Valley Mental Health of Utah reported that 700 patients had information on a stolen computer. The theft occurred on February 27, and I can find no statement on their web site or substitute notice anywhere.

Wood County Hospital in Ohio reported that 2,500 patients’ information was stolen on March 19. I was able to track down a news media report on the incident, which involved the theft of x-rays, presumably for their silver value. The films contained patients’ names, medical record numbers, dates of exam, and in some cases, date of birth.

The Guidance Center of Westchester, NY reported that 1,416 patients were notified after the theft of a computer on February 21. There was a notice on their web site dated April 24, but it is no longer available. It is, however, available via Google cache:

The Guidance Center of Westchester, Inc. is notifying clients of a breach of their personal information after discovering that the following has occurred:

On February 22, 2013, the Center discovered that a central processing unit (CPU) had been removed from a staff member’s office at its 70 Grand Street, New Rochelle, New York location. The Center immediately conducted a preliminary investigation into the incident and determined that the CPU was taken on February 21, 2013. The Center notified local law enforcement and filed a police report. The New Rochelle Police Department is currently investigating the incident.

The Secretary of the Department of Health and Human Services, New York State Attorney General’s Office, New York State Office of Cyber Security, and New York State Department of State Division of Consumer Protection have all been notified in accordance with the law.

The breach involves the records of 1,416 past and present clients of the Center. It has been determined that the following categories of personal information were contained on the missing CPU: (i) names, (ii) date of birth, (iii) date of admittance to the Center, (iv) name of insurance carriers, (v) home address, (vi) diagnosis, (vii) outpatient treatment authorization request, (viii) social security number, (ix) doctors’ names, (x) a notation of whether medication was prescribed (but not a description of the medication), and (xi) case number.

The Center has taken numerous steps to locate the missing CPU and further investigate the circumstances surrounding its removal. A forensic security analysis of the accessibility of the personal information contained on the CPU has been performed. As a result of that expert analysis, the Center believes that the risk of access to the personal information at issue is low. However, enhanced security measures are being implemented facility-wide, including encrypting all laptop and desktop computers and retraining its staff, to improve security and minimize any future risk.

In an effort to mitigate against the risk of identity theft and fraud, the Center is offering to pay for identity theft protection services for one year for each affected client who requests this service. In addition, each affected client has been provided with printed materials designed to aid in further protection against identify theft and fraud, including contact information for the Federal Trade Commission and credit reporting agencies where they can place a fraud alert on their consumer reports. [A copy of this aid is available upon request.]

“The safety and well-being of our clients is and has always been our primary concern,” said Amy Gelles, the Center’s Executive Director. “We regret that this incident has occurred, but we are moving swiftly to reassure our clients that everything possible is being done to protect them now and in the future.”

Those affected have been directed to contact specially trained personnel assigned to assist them. Concerned clients may also contact Bart Worden, Deputy Director, toll-free, at 800-319-9659, between the hours of 9:00 a.m. and 5:00 p.m., Monday to Friday, or by email 24 hours a day at: bworden@theguidancecenter.org, or may send their concerns by mail to: The Guidance Center of Westchester, Inc., 256 Washington Street, Mt. Vernon, NY 10553.

The Guidance Center of Westchester is an innovative multi-service, community-based nonprofit organization which serves more than 5,000 people in Westchester County each year. For more information, visit: www.theguidancecenter.org.

Stronghold Counseling Services Inc. of South Dakota reported that 8,500 patients had information on a computer stolen on December 24, 2012. I was unable to find any additional sources on this incident. I’ve sent an email to them asking for more details.

Comments Off

By Dissent, May 3, 2013 8:29 pm

Dan Packel reports that once again, an insurance company is suing for judgement that it is not liable for covering its insured over a data breach:

Peerless Insurance Co. filed suit in Pennsylvania federal court Thursday to get out of covering losses for a company that mishandled patient medical records when relocating a clinic acquired by hospital operator Select Medical Corp., causing Select to pay $1 million to Texas health authorities over privacy claims.

Read more on Law360.com (subscription required). The case is Peerless Insurance Co. v. Martin Enterprises, LLC, and I’ve uploaded part of the complaints to DataLossDB.org (free account/login required). If you don’t remember the case, you can find a recap in this press release from the Texas Attorney General’s Office and this follow-up in Lubbock Online. Martin Enterprises, LLC had not been named in any of the coverage I had seen at the time, but David Martin was allegedly hired by Select’s contractor to oversee the relocation of facilities. According to the insurance carrier’s complaint, the day after he was allegedly on-site, the records with PHI and PII were found in a dumpster.

In seeking declaratory judgement, the insurance company similarly sued Select Medical Corporation and Select Physical Therapy.

Comments Off

By Dissent, April 29, 2013 10:24 am

Hope Hospice officials say they recently discovered a possible information security breach after a routine check found that an employee had e-mailed a report of recent referral and admission activity to themselves through an unsecured channel.

Information in the e-mail, which was sent in December and again in February, included names of over 800 Hope Hospice patients, referral sources, admission and discharge dates, the names of insurance providers, and chart numbers.

The information did not include other sensitive personal identification like social security numbers, dates of birth, or addresses.

Due to the number of affected individuals and Hope Hospice’s policy against using unsecured channels for communicating patient information, they say that each patient or their next of kin is being notified of the incident.

KGNB in Texas reports Hope Hospice officials are notifying patients of a potential security breach involving PHI sent insecurely by an employee.  You can read their news story here.

A statement buried somewhat internally on the hospice’s web site says:

Through a routine internal compliance audit on February 25, 2013, Hope Hospice discovered a potential security breach after finding an employee had emailed a report of recent referral and admission activity to themselves via an unsecured channel on December 27, 2012 and February 22, 2013. The information included in the report was limited to 818 patient names, referral source, referral and admission date, name of insurance company, chart number, county and date of discharge. The information did not include other sensitive personal identification such as social security numbers, dates of birth or addresses. Due to the number of affected individuals and the agency’s policy against using unsecured channels for communicating patient information, each patient or their next of kin is being notified of the occurrence.

The information was secured February 28, 2013 and the Agency does not believe the type of information included presents a risk of financial harm. However,  affected individuals are encouraged to contact their financial institutions as well as any one of the three major credit bureaus to place a fraud alert on their account.

In response to this incident, all staff members have received additional training, and the agency is performing a comprehensive review to further refine its policies and procedures related to patient privacy and security. Steps are also underway to further improve the security of the agency’s operations.

The agency has a toll-free number to call us with questions and concerns about your personal information.  You may call Debra Houser-Bruchmiller, CEO at 800-499-7501 from 8 AM to 5 PM, Monday through Friday with any questions. In addition, patients may visit the agency’s website at www.hopehospice.net for further information and links to web sites that offer information on what to do if your personal information has been compromised.

Comments Off

By Dissent, April 25, 2013 12:50 pm

An update  to HHS’s breach tool this week adds 16 more incidents to their counter, although two of the entries appear to be for the same incident. Significantly, the list includes yet another Florida hospital report of theft of patient data, presumably for tax refund fraud or other fraud. In this case, though, it was not an employee of the hospital but an employee of a vendor. And once again, it seems, the hospital did not detect any problem until law enforcement alerted them. 

Some of the incidents were previously noted in the media,  on this blog, or on DataLossDB.org. For those, I’m simply adding notes as to what, if anything, we learned from the report to HHS that we didn’t previously know:

• Oregon Health & Science University: the laptop stolen from a surgeon’s rental home reportedly contained PHI on 1,114. In March, OHSU had indicated that more than 4,000 were affected.
• WA Department of Social and Health Services
• Shands Jacksonville Medical Center, Inc.
• University of Florida 
• Hospice and Palliative Care Center of Alamance Caswell
• Texas Tech Unversity Health Sciences Center 
• University of Mississippi Medical Center: the lost or missing laptop may have been missing as early as November 1, 2012. The center detected its loss on January 22.
• Mid America Health, PrevMED: Strangely, this breach is first appearing on HHS’s breach tool now even though the incident occurred in April 2012 and in June 2012, MAH notified Maryland that it was notifying HHS.
• Glens Falls Hospital, Portal Healthcare Solutions

The following are incidents that I didn’t already know about:

• John J. Pershing VA Medical Center in Missouri reported that 589 patients were affected by a paper records breach on February 20. A statement linked from the home page of their web site explains:

During a routine inspection, staff from the John J. Pershing VA Medical Center in Poplar Bluff recently discovered a box in an unoccupied equipment storage room; a box that contained personally identifiable information.

The information, including social security numbers, concerned approximately 580 Veteran patients at the medical center.

Though there is no indication the information was accessed or used by unauthorized personnel, the medical center is taking no chances. “The room was generally kept locked with only staff or contractors having access, but we cannot be absolutely certain the storage area was completely secure at all times, so we are notifying Veterans who could be affected,” noted Medical Center Director and CEO, Marj Hedstrom. “Every Veteran whose name was contained in the box will receive a letter of notification and, where appropriate, an offer of credit monitoring for one year at no charge.”

• Texas Health Care, P.L.L.C. reported that 554 were affected by breach on March 10 involving “theft, paper.” No statement appears on the practice’s web site and I can find no substitute notice or press release about the breach in online sources I searched. An email inquiry was sent to the practice but received no response by the time of this publication..
• Lake Granbury Medical Center in Texas reported that 502 patients were affected by a breach on February 13 involving ”Theft,Paper.” There does not appear to be any  statement on their web site, and again, I could find no substitute notice available online.
• Carpenters Health & Welfare Trust Fund for California reported that its business associate, QuickRunner, Inc. (dba RoadRunner Mailing Services experienced a breach involving paper records that affected 2,400 on March 11 and March 12.  Neither entity appears to have a substitute notice on their respective web sites, and I can find no media coverage at the time of this publication.
• Mount Sinai Medical Center in Florida reported that 628 patients were notified of a breach that seemingly occurred over a period of months. Curiously, the report on HHS’s breach tool did not include any mention of the business associate, even though it was employee of a vendor who reportedly stole patient information. A statement on the medical center’s web site explains:
  

  At Mount Sinai Medical Center, we take our commitment to patient privacy very seriously, and we work diligently to ensure the security of our patients’ confidential information. Regrettably, this notification concerns an incident related to that information.

  On February 28, 2013, we learned from local law enforcement that an employee of a contracted vendor of the Medical Center may have accessed patient information inappropriately from October 2012 to February 2013. Upon learning this information, we conducted an investigation and began fully cooperating with law enforcement authorities. The suspect has been arrested.

  Our investigation confirms that the information involved includes patient names, dates of birth, Social Security numbers, and addresses. A second group of information includes patient names, addresses, bank account numbers, and routing numbers. While a patient’s information may have been exposed, it does not mean that it was misused. The incident did not affect any patients’ medical records, medical treatment or Mount Sinai billing accounts.

  We began mailing letters to affected patients on March 15, 2013. We have also set up a call center with a toll-free help line for all patients who have questions. The phone number is 1-877-282-6407. The call center is staffed weekdays from 9 am until 7 pm eastern time. Also, if you have concerns about this situation and have not received a letter from us by March 29, 2013, please call the help line with your questions.

  We deeply regret any inconvenience or concern this event may cause. We are in the process of undergoing a comprehensive review of our security policies and practices to help prevent a similar incident from occurring in the future.

• Thomas L. Davis, Jr. DDS of Oregon reported that 3,269 patients were notified of a breach in February involving EMRs and a desktop computer. Dr. Davis does not appear to have a web site and I can find no press release or substitute notice about the breach by the time of this publication.

Comments Off

By Dissent, March 25, 2013 5:24 pm

On March 22, MyHighPlains.com reported that Texas Tech University Health Sciences Center (TTUHSC) had experienced a breach that resulted in 700 patients’ billing statements being sent to the wrong addresses. The breach was also disclosed that day on TTUHSC’s web site and in a press release identical to the statement posted on their web site.

In response to a request I sent them, TTUHSC kindly sent a copy of their notification letter to patients of March 12, which I’ve uploaded here (.docx). The letter reads, in relevant part:

On February 20, 2013, Texas Tech University Health Sciences Center (TTUHSC) became aware of a technical error that occurred while processing billing statements for TTUHSC patients.  The error, which occurred on February 18, 2013, caused patient billing statements to be linked to incorrect patient addresses.  This may have resulted in your statement going to the wrong address.  The information contained in each of the billing statements included:

• Name
• Account number
• Invoice number
• Date service at TTUHSC
• Charge amount
• Department & Provider Name
• Adjustment amount
• Payments from insurance company(s)
• Amount Due
• Total Account Balance

You may have received a statement belonging to another individual.  To ensure that all patient information is maintained confidential, please return the statement to TTUHSC or destroy the copy.

We have not received any indication that the information contained in these statements has been accessed or used by an unauthorized individual.  However, we do recommend you call the toll-free numbers for any of the three major credit bureaus to make sure there has not been any type of unusual activity.  In addition you can ask to have a Fraud Alert put on your credit file.

We take very seriously our role of safeguarding your personal information.  TTUHSC apologizes for the inconvenience this situation may have caused you.  Please be assured that additional safeguards have been put into place.

Should you have any questions, do not hesitate to call our toll-free number at (877) 272-0570.

Very nicely written letter, in my opinion. I’m not sure why/whether patients would need to contact credit bureaus given the types of information involved, but all in all, a quickly detected breach with a clearly written notification letter probably goes a long way towards diffusing any anger or frustration patients might feel.