Alex Kennedy reports a settlement in a case previously covered on this site back in 2012-2014: An out-of-court settlement has been reached in a class-action lawsuit involving Western Health that dates back more than a decade. The lawsuit was launched in August 2012, alleging that the health authority failed to protect the personal information of patients and violated the province’s Privacy Act. The class-action said more than 1,000 people were harmed when a Western Health employee accessed private medical files, including personal information. The employee has since been dismissed. Read more at CBC.
Gary Kean reports: The Supreme Court of Newfoundland and Labrador has decided that a group of patients who had their health information inappropriately accessed by a Western Health employee have grounds to continue with a class action lawsuit against the health authority. Justice William Goodridge, who heard arguments last February from both the health authority and the lawyers representing 1,043 people who were notified about the breaches of privacy, released his decision Monday morning. Read more on The Western Star. I haven’t located a copy of the decision yet, but will update this post if/when I locate it.
CBC News reports: A former employee with Western Health was fined Thursday in a privacy breach at the hospital in Corner Brook. Donna Colbourne accessed more than 1,000 patient files at Western Memorial Regional Hospital while working there as an accounting clerk until 2012. Judge Kymil Howe, appearing by video conference from Stephenville, imposed a $5,000 fine on Colbourne after she obtained personal health information on 75 different occasions. “The affect of the breach is far reaching by the accused by mindless meddling into personal affairs,” said Howe. Read more on CBC News.
VOCM reports: The Breach of Privacy class action lawsuit that was issued against Western Health in August of 2012 continues, as the prosecution gears up for a certification hearing later this week. The hearing will dictate whether or not they can move ahead with the lawsuit. Over two years ago, 1,043 people had their medical information accessed by a Western Health worker who did not have the authority to do so. Read more on VOCM.
Gary Kean reports the update to the Western Health breach noted previously on this blog: There will not be a speedy disposition of the criminal charge against the former Western Health employee accused of inappropriately accessing medical records on the job. The matter involving Donna Colbourne of Corner Brook was scheduled to be dealt with in provincial court in Corner Brook Friday afternoon. Usually, a speedy disposition involves a guilty plea and submissions on sentencing for a judge to consider. However, when the matter was called before Judge Kymil Howe, defence lawyer James Goodwin informed the court that his client would be entering a not guilty plea and going to trial. Read more on The Western Star.
Gary Kean reports that a second class action lawsuit, representing about 200 patients who received breach notifications from Western Health, has been filed. Unlike the other lawsuit, however, this one names the employee as a co-defendant. Over 1,000 patients received notification letters concerning an employee’s inappropriate access to their files. For at least some patients, there were repeated accesses to their files without legitimate purpose. Some of the patients seem to be asking good questions. Kean reports: The plaintiffs also want to know the answers to questions not provided by Western Health in its registered letter to the 1,043 affected patients. “In the letter, (Western Health) provided no explanation as to how the breach was able to occur, how (Colbourne) was able to access so many patient records inappropriately over an extended period of time and why the audit only consisted of an 11-month period,” stated the claim. Indeed. Read more on The Western Star.
Protenus has published its Breach Barometer for April, with data and some analyses provided by this site. The analyses were based on the following incidents: Amedisys Home Health Area Agency of Aging 1-B: On March 31, 2017 the Area Agency on Aging 1-B (AAA 1-B) became aware of an unintentional potential disclosure of the personal health information (PHI) of 1741 program participants. Two separate unencrypted emails containing the participant’s name, case number, claim payment amount, units of service, service codes and vendor code of AAA 1-B participants were sent by the AAA 1-B to the Michigan Department of Health and Human Services (MDHHS) Aging & Adult Services Agency on March 23 and March 30. Ashland Women’s Health Atlantic Digestive Specialists Behavioral Health Center BioReference Laboratories, Inc. Cardiology Center of Acadiana Carson Valley Medical Center: Following the receipt of a fake email, a CVMC employee released a single spreadsheet that included patient first and last names, patient account number, service discharge date, and identification of the location of treatment as CVMC. Central New York Psychiatric Center Cleveland Metropolitan School District CVS Erie County Medical Center Eyecare Services Partners Management, LLC GlaxoSmithKline Patient Assistance Program Greenway Health Harrisburg Endoscopy and Surgery Center, Inc. Harrisburg Gastroenterology Hill Country Memorial Hospital Humana Inc [case # HU17001CC] Iowa Veterans Home LifeSpan Memorial Healthcare Memorial Hospital Clinic South Memorial Hospital Clinic West Michigan Facial Aesthetic Surgeons d/b/a University Physician Group MVP Health Care, Inc. Pentucket Medical Spine Specialist St. Lucie County University of Oklahoma, OU Physicians University of South Florida Valley Women’s Health, S.C. Virginia Mason Memorial Western Health Screening Significantly, perhaps, one of the worst incidents in terms of potential harm to individual patients was one that only appeared on HHS’s breach tool because this site discovered it and notified the entity that its patients’ psychotherapy records appeared to be up for sale on the dark web. Of note, the hacker never attempted to extort the clinic to see if the clinic would pay to get the data back – the data were just put up for sale with an asking price of a minimum of $10,000.00 (about $2-$3 per patient). Another candidate for worst breach of the month was the Erie County Medical Center ransomware attack, which is still not totally resolved. Thankfully, the center had backups and other means of accessing patient records and information or the impact on care could have been a nightmare. While DataBreaches.net considered these perhaps the worst breaches of the month (admittedly a somewhat subjective determination), perhaps my biggest concern in reviewing the April data was wondering how many incident reports we are not seeing on HHS’s breach tool. Are we missing so many incidents from both HIPAA-covered and non-HIPAA-covered entities that what we do know about is not really representative of what’s going on with threats to health data security? Is HHS’s public breach tool giving us any kind of accurate insights into risks and breaches involving health data, or is it just significantly underestimating and misrepresenting the real risks? I’ll have more to say on this in another post.
From their disclosure notice: Western Health Screening (“WHS”) is an organization that offers comprehensive blood screening tests. It partners with community organizations, such as hospitals, to provide onsite blood screenings at Health Fairs throughout the Western slope of Colorado. You have been a participant at Health Fairs in the past that were sponsored by either Montrose Memorial Hospital; Gunnison Valley Health; or Delta County Memorial Hospital (the “Hospitals”). WHS recently learned that a vehicle owned by WHS in route to a Health Fair and passing through Salt Lake City, Utah, was stolen. There was a piece of computer equipment known as a “jump drive” belonging to WHS that was in the stolen vehicle. Upon learning of this theft, WHS immediately investigated and determined that the jump drive, which was password protected, but unencrypted, contained participants’ personal information. WHS learned of the theft on February 7, 2017, but determined that the jump drive was unencrypted on February 15, 2017. WHS is sending this letter to you as part of WHS’s, and the Hospitals’, commitment to privacy. We take privacy very seriously, and it is important to us that you are made fully aware of this incident. When WHS learned of the theft, it immediately reported the theft to the Salt Lake City Police Department. The jump drive has not been recovered and the police continue to investigate. WHS also conducted its own internal investigation. WHS determined that the jump drive contained demographic information that had been collected by WHS for health fair participants from the years 2008-2012, including health fair participants’ names, addresses, phone numbers and in some instances Social Security numbers. WHS also determined that the jump drive can only be accessed via a unique password. The jump drive did not contain any medical information such as blood test results, nor did it contain any nancial information such as credit card numbers or other source of payment information. To date, WHS has no evidence that any participants’ information was accessed by unauthorized persons or that any participants’ personal information has been misused. We are notifying you out of an abundance of caution so that you can take appropriate steps to protect yourself. To help relieve concerns and restore con dence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year. […] So why was a portable device with unencrypted patient information from 2008 – 2012 even in the van in 2017? If they needed old information as part of the current screening services, then how might they have accessed it more securely? At the very least, the data or drive should have been encrypted. Did Western Health Screening’s risk assessment include portable devices left in vans or taken out in the field for screenings? I would hope so.
Colleen Connors reports: Western Health faces a privacy breach after 10 pages of patient information were incorrectly sent to a company in Corner Brook Tuesday. The documents include patient names, phone numbers and information pertaining to their doctors. The paperwork also listed medical transportation expenses required for patients living at BayShore Estates, a personal care home in Irishtown-Summerside in western Newfoundland’s Bay of Islands. Read more on CBC.ca.
The Information Commissioner’s Office announced two undertakings today. The first, involving Western Health & Social Care Trust follows two incidents. One incident concerned the theft of two computers from Trust premises during a burglary on October 8, 2013. The computer contained sensitive personal data relating to the provision of specialist mental health services by a retired employee. Although investigation determined that the information had been deleted from the desktop, there was a risk it could still be retrieved from the hard drive. So there was unencrypted information that could have: (1) been stored offline, and (2) the Trust could have more securely deleted the sensitive information. 1 The second incident was reported to the ICO in June 2014 after photocopied medical records disclosed to an individual in response to a subject access request (SAR) contained information about two other patients. You can read the Western Health & Social Care Trust undertaking here (pdf). The ICO also announced an undertaking had been signed by Rochdale Borough Council. The ICO had been contacted by a member of the public that the individual had found social care papers in a public place. The paper files had been held in a cotton bag and had been stolen from the boot of a social worker’s car between the evening of 5 January and the morning of 6 January 2014. The papers contained personal data relating to 86 individuals. Sensitive personal data, including health, mental health, and sexual offence data was included in the files of 29 of those individuals. On investigation, the ICO determined that the social care worker had violated policy by removing too much information from the office, and, also importantly, had never received data protection training, despite having worked for the council for 18 months by the time of the incident. You can read the Rochdale Borough Council undertaking here (pdf).