WI: Milwaukee to file complaint against Dynacare after security breach

Hell hath no fury like a city breached? The City of Milwaukee issued this statement today following the theft of a flash drive from a car owned by an employee of Dynacare. The flash drive contained what seems to be unencrypted information on city employees enrolled in a wellness program and their dependents: Statement of Milwaukee City Attorney Grant Langley November 21, 2013 After consultation with members of the Common Council and the Mayor, the Office of the City Attorney has decided to file a formal complaint with the federal Office of Civil Rights against Dynacare Laboratories for its admitted breach of HIPAA security requirements regarding the private information of more than 9,000 City of Milwaukee employees, their spouses and their domestic partners. I will be taking this action on behalf of the city and its employees based on Dynacare’s recent filing of a notice of breach of unsecured protected health information, its apparent unwillingness to communicate or cooperate with city representatives or to release details of its investigation, its failure to provide information to the city in order to protect our employees and the misleading comments Dynacare provided to the media. It is important to note that the city’s contract for its wellness program is with Froedtert Community Health/Workforce Health. That is the entity to which the city provided employee information in a secured and password-protected manner, not Dynacare. The city continues to investigate the matter, and at this time has not ruled out further litigation. Of course, some of this “we’re filing a formal complaint” bit is a bit absurd since Dynacare has already self-reported the breach to HHS. Maybe the city doesn’t trust Dynacare’s report to be accurate and wants to ensure that HHS fully understands how upset the city is at Dynacare’s lack of prompt notification and greater disclosure? Curiously, the city did not say it would file a complaint against Froedtert Community Health/Workforce Health. Because the city had provided the data to them in secure format, you’d think they would complain that Froedtert failed to ensure that the party they passed it on to maintained it in secure format.  According to the Journal Sentinel,  Froedtert Health Inc. has an ownership interest in Dynacare, but  the management of Dynacare is contracted to a subsidiary of Laboratory Corporation of America Holdings. Froedtert Community Health/Workforce Health is  affiliated with Froedtert Health. So now everyone can pull out the contracts and HIPAA regulations to see how many of these entities have responsibility for, or liability for, the breach. Don Walker of the Journal Sentinel provides some additional details that suggest this case is about to get even messier:  The [stolen employee] car contained a flash drive with the personal information of 9,414 city employees, their spouses or domestic partners. The personal information included the names, addresses, dates of birth, Social Security numbers and gender of an estimated 6,000 city employees. The flash drive also had the names of more than 3,000 spouses and domestic partners of those workers, although their Social Security numbers were not included, the company said. However, a domestic partner of a city employee provided the Journal Sentinel with a copy of a letter Dynacare sent to him, informing him that his Social Security number was on the missing flash drive. There is also evidence that people who opted out of the wellness program had their Social Security numbers and other information on the flash drive, Barrett said. If they opted out, why were their details on the drive? While you can be understandably outraged at Dynacare for the sloppy security practices by its employee, the city itself needs to explain why information on those who opted out were shared with Froedtert Community Health in the first place.WI: Milwaukee to file complaint against Dynacare after security breach

WI: Milwaukee to file complaint against Dynacare after security breach

Hell hath no fury like a city breached? The City of Milwaukee issued this statement today: Statement of Milwaukee City Attorney Grant Langley November 21, 2013 After consultation with members of the Common Council and the Mayor, the Office of the City Attorney has decided to file a formal complaint with the federal Office of Civil Rights against Dynacare Laboratories for its admitted breach of HIPAA security requirements regarding the private information of more than 9,000 City of Milwaukee employees, their spouses and their domestic partners. I will be taking this action on behalf of the city and its employees based on Dynacare’s recent filing of a notice of breach of unsecured protected health information, its apparent unwillingness to communicate or cooperate with city representatives or to release details of its investigation, its failure to provide information to the city in order to protect our employees and the misleading comments Dynacare provided to the media. It is important to note that the city’s contract for its wellness program is with Froedtert Community Health/Workforce Health. That is the entity to which the city provided employee information in a secured and password-protected manner, not Dynacare. The city continues to investigate the matter, and at this time has not ruled out further litigation. Of course, some of this “we’re filing a formal complaint” bit is a bit absurd since Dynacare has already self-reported the breach to HHS. Maybe the city doesn’t trust Dynacare’s report to be accurate and wants to ensure that HHS fully understands how upset the city is at Dynacare’s lack of prompt notification and greater disclosure. Curiously, the city did not say it would file a complaint against Froedtert Community Health/Workforce Health. Because they had provided the data to them in secure format, you’d think they would complain that Froedtert failed to ensure that the party they passed it on to maintained it in secure format.  According to the Journal Sentinel,  Froedtert Health Inc. has an ownership interest in Dynacare, but  the management of Dynacare is contracted to a subsidiary of Laboratory Corporation of America Holdings. Froedtert Community Health/Workforce Health is  affiliated with Froedtert Health. So now everyone can pull out the contracts and HIPAA regulations to see how many of these entities have responsibility for, or liability for, the breach. Don Walker of the Journal Sentinel provides some additional details that suggest this case is about to get even messier:  The [stolen employee] car contained a flash drive with the personal information of 9,414 city employees, their spouses or domestic partners. The personal information included the names, addresses, dates of birth, Social Security numbers and gender of an estimated 6,000 city employees. The flash drive also had the names of more than 3,000 spouses and domestic partners of those workers, although their Social Security numbers were not included, the company said. However, a domestic partner of a city employee provided the Journal Sentinel with a copy of a letter Dynacare sent to him, informing him that his Social Security number was on the missing flash drive. There is also evidence that people who opted out of the wellness program had their Social Security numbers and other information on the flash drive, Barrett said. If they opted out, why were their details on the drive? While you can be understandably outraged at Dynacare for the sloppy security practices by its employee, the city itself needs to explain why information on those who opted out were shared with Froedtert Community Health in the first place.

Thumb drive with personal information of Milwaukee employees recovered

There’s an important update in the Dynacare breach that affected City of Milwaukee employees. Fox6 reports that a 17-year-old male has been arrested for his role in the theft of the thumb drive, laptop, and computer bag that were stolen from the employee’s car on October 22.  According to Fox6 and other media reports, the police had not been made aware of the thumb drive being stolen until 24 days after the theft. The vehicle and laptop were subsequently recovered, but the thumb drive with PHI and computer bag remained missing. Both the thumb drive and the computer bag have now been recovered. They were found during a search of a home on January 6 during a separate crime investigation. Fox6 and WUWM report that   from the forensic examination conducted so far, it does not appear that the data on the thumb drive were accessed. The recovery of the thumb drive will likely have only little impact on the investigation by HHS/OCR, who will be more focused on what policies and security safeguards Dynacare had in place and whether they were followed. HHS/OCR should also look at Froedtert to see if they failed to monitor their vendor’s compliance with any contractual obligations for data security.

Update: City of Milwaukee employees file complaint over data breach

Well, we knew it was coming, but now Milwaukee employees have filed their formal complaint against Dynacare with HHS OCR.  Don Walker has the story. If the allegations are true/founded, then at the very least Dynacare should have to explain whether it had a policy in place that would have required the flash drive to be encrypted, and if so, how it monitored for compliance with that policy.  Was this a work-issued flash drive or personal one? And if work-issued, had it been configured for encryption? Did Dynacare’s policies prohibit leaving devices with ePHI in unattended vehicles? And if so, how did Dynacare monitor for compliance? How often were employees (and the employee in question) trained and re-trained on data security and privacy? And why did it take Dynacare 24 days to notify the city of the theft? Did Dynacare have a written breach response plan in place before the incident? If not, and as yesterday’s HHS settlement with APDerm shows, OCR may enforce. Taking it back a step, will HHS OCR look at Froedtert to see their BA contract with Dynacare and to look at how Froedtert monitored to ensure Dynacare complied with any security and breach notification requirements in their contract. I don’t expect to see anything on the breach from OCR for a long time, as it seems their enforcement actions are generally not very quick.  

Update to HHS's breach list (update 1)

HHS added 16 breach reports to its public breach tool today, bringing the counter of breaches each affecting 500 or more individuals to 736 since HITECH went into effect September 23, 2009. As I’ve done in the past, I’ll begin by noting which of the additions we already knew about, annotated if there’s anything new or significant about the report to HHS: The Rotech Healthcare Inc breach, reported here affected 10,680 employees and dependents. The Genesis Rehabilitation Services breach, reported here, affected 1,167 individuals. The United Dynacare, (dba Dynacare Laboratories) breach, reported here, here and here, affected a total of 9,328. I could be wrong, but it looks like Dynacare must have reported the breach to HHS itself, as there’s no mention of Froedtert in the log entry, even though the city of Milwaukee had contracted with Froedtert Community Health/Workforce Health, who, in turn, had contracted with Dynacare. The Scottsdale Dermatology breach, reported here, resulted in notification of 1,456 patients after an employee of their business associate, All Source Medical Management, stole patient information. Scottsdale Dermatology reported that the data theft occurred between January 1, 2013 and October 4, 2013. The Redwood Memorial Hospital breach, reported here. The DaVita breach, reported here, was reported to HHS as affecting 1,500 dialysis patients, even though DaVita’s public notice indicated 11,500 patients had PHI on the laptop..  I’m not sure why the numbers are so discrepant and have e-mailed DaVita to inquire.  If I get a response, I’ll update this. [Update 1: that was a typo on HHS’s breach tool; the correct number is 11,500, as DaVita initially reported. Thanks to DaVita for their prompt reply.] The LANAP & Implant Center breach reported here and here was reported by David DiGiallorenzo, D.M.D.  as occurring on September 17, 2012. That seems incorrect as the torrent was uploaded to a PirateBay site on February 18, 2010. Perhaps Dr. DiGiallorenzo confused date of discovery with date of breach? I’d ask them, but their lawyer has already said they’d have no further comment on the breach.  Surprisingly, Dr DiGiallorenzo seems to have reported that (only) 2,600 patients were affected by the breach. Inspection of the torrent reveals that over 11,000 individuals had PII and/or PHI in the database exposed online, so I’m really not sure how they got that number to report.  The incident was reported as “Unauthorized Access/Disclosure,Hacking Incident”,”Network Server, Electronic Medical Record,” and hopefully, HHS will confirm whether this really was a hack by a third party. I’m in the process of researching the other nine breaches added to HHS’s breach tool and will post something about them in separate posts.