HHS updates breach tool (update 3)
HHS added 10 incidents to its breach tool in its most recent update. Somewhat depressingly, five of the incidents involved the theft of unencrypted laptops.
In terms of newly revealed details on known incidents, the University of Miami reported that it had notified 64, 846 patients of the insider breach involving theft and possible sale of patient “face sheets.”
The Howard University Hospital breach of January 25th involving theft of a laptop was updated to reflect 66,601 patients notified. Initially, Howard University had reported 34,503 patients affected.
Here are some of the newly disclosed incidents that had not been previously mentioned on this blog:
Central States Southeast and Southwest Areas Health and Welfare Fund in Illinois notified 754 about an incident on July 31st involving “Unauthorized Access/Disclosure,Other” of paper records. There is no notice on their web site at this time and I can find no substitute notice or media coverage. They have not yet responded to a request for a statement explaining the breach.
Update 2: Central States responded on September 23 saying that they promptly sent a notice to the affected individuals. They did not provide a copy of their notice, stating “The regulations do not authorize disclosure to the media in any other circumstances and disclosure of details of the breach could only increase the risk to the affected individuals.”
Well, the regulations do not actually prohibit disclosure to the media, either, so I disagree with them on that. And it’s not clear to me how being publicly transparent about a breach increases the risk to individuals, unless the data were lost and someone might suddenly go looking for them and find them.
Perhaps Central States doesn’t realize that their notification to HHS is subject to FOI. Eventually, we will get the details on this one.
Liberty Resources, Inc.” in Pennsylvania notified 3,183 of a laptop theft on August 4th. I cannot find any statement on their web site and I can find no media coverage or substitute notice. They have not yet responded to a request for a statement explaining the breach.
Update 3: Liberty Resources kindly provided a copy of their media notice.
Tricounty Behavioral Health Clinic in Acworth, Georgia notified 4,000 patients after a laptop was stolen on August 26th. They do not seem to have a web site, but I was able to locate a brief media report in the Rome News-Tribune under one of their doctor’s names:
An Acworth doctor had a laptop stolen from her office, according to a Cherokee County Sheriff’s Office report.
According to the report:
Someone broke into the office on Dr. Swarnalatha Inderjith, of 4661 Jefferson Township Lane, and stole a laptop that contained patient information on Aug. 27.
A 32-inch television was also stolen.
The doctor has set up a toll free number for patients or former patients to learn additional information. The number is 888-261-6360.
And yes, there seems to be a small discrepancy as to the date of the theft.
Charlotte Clark-Neitzel, MD of Olympia, Washington notified 942 patients following the July 24th theft of a laptop. I was able to locate a cached copy of Sept. 11 substitute notice:
The home office of Charlotte B. Clark-Neitzel, M. D. was broken into on July 24, 2012. In addition to other personal items, the thieves stole both her medical bags and a laptop. The laptop contained access to Dr. Clark-Neitzels electronic medical record (EMR) system which was used daily to manage patient information. The Olympia Police Department was notified and is conducting their investigations. All affected patient notification letters were mailed on September 7, 2012. A thorough investigation shows that patient name, address, Social Security number, date of birth and medical information was included on the laptop. Patient billing and banking information was not stored on the laptop and therefore not breached. At this time there has been no indication of malicious use of patient information. Dr. Clark-Neitzel has hired ID Experts to aid in notification and provide services to affected patients. Patients with questions regarding this incident or to determine if they were affected can contact ID Experts at 1-800-809-2956. This public notice is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Dr. Clark-Neitzel has sent notification letters to the affected patients and the Department of Health and Human Services (HHS).
Lana Medical Care in Florida notified 500 patients after a laptop was stolen on August 18. I can find no web site for the practice, nor any substitute notices under that name or under the names of two physicians associated with the practice.
As additional info becomes available, I’ll update this post.