(update) Grant Medical Center notice on data breach

Following a story in today’s Columbus Dispatch, reported earlier today on this blog, Grant Medical Center has issued the following press release and substitute notice on its web site: POTENTIAL SECURITY BREACH AT GRANT COLUMBUS, Ohio – On November 5, 2010, Grant Medical Center discovered that out-of- service computers were stolen from an inventory storage facility. Grant Medical Center immediately investigated and determined that the thefts were accomplished by one employee. Grant immediately strengthened the inventory controls and storage processes for out of service computers and terminated the employee involved. The employee attempted to clean information off the hard drives but used a technique that may not always be wholly effective. Although data remaining on the hard drives could include some unsecured personal health information for patients treated at Grant Medical Center between 2008 and November 5, 2010, it is inaccessible to anyone except skilled computer technicians with specialized software and equipment. To date, we are unaware that any personal information has been recovered or misused by any unauthorized person. This announcement is a substitute notice under the HIPAA notice of breach rules. Individuals who believe that they may have been affected may call 1-888-845-0818 for assistance. This hotline number will remain in effect for at least 90 days.

Federal Court holds nonprofit health center is immune from data breach class action

Daniel Rockey of Bryan Cave Leighton Paisner writes: In a case of first impression, the United States District Court for the Southern District of California granted the motion of Defendant Neighborhood Healthcare seeking order compelling the United States to defend a putative class action lawsuit alleging that Neighborhood failed to ensure the confidentiality of her electronic health records in connection with a ransomware attack on Neighborhood’s data hosting provider, in violation of the Confidentiality of Medical Information Act. Neighborhood’s attorneys at BCLP removed the case to federal court under 42 U.S.C. § 233(l), a provision of the Federally Supported Health Center Assistance Act (“FSHCAA”) by which Congress determined that federal nonprofit grant recipients may apply to be “deemed” an employee of the Public Health Service for purposes of the Federal Tort Claims Act (“FTCA”). The FSHCAA provides that the sole remedy for plaintiffs alleging “damage for personal injury, including death, resulting from the performance of medical, surgical, dental, or related functions,” is a claim against the US under the FTCA.[1] Read more at JDSupra. I’m going to need to read this one a few times to begin to understand it. After some digging, I found that the case is Doe v. Neighborhood Healthcare et al., Southern District of California (San Diego), 3:21-cv-01587-BEN-RBB.  The motion for substitution can be found on RECAP, here. The order granting the motion for substitution can be found on RECAP, here.

Medical records mishap sends confidential information to Westerville woman

Terri Sullivan reports: Elizabeth Spilker might know more about you than you think. For about a year now, a local hospital has been faxing other people’s personal medical records to her home. “We have been getting regular faxes over the last year or so from Grant Medical Center, with people’s personal information attached,” said Spilker. Asked what kind of information she was getting, Spilker replied “Name, weight, age, medical problem, history, list of medications. Pretty much anything you’d want to know.” Read more on ABC6. OhioHealth’s statement to ABC makes it sound like it was just one patient who was affected. But if the person has been getting “regular faxes” for more than one year, wouldn’t the recipient know if it was just about one patient or many patients? And why didn’t the center deal with this when Spilker called them? It wouldn’t be a bad thing for OCR to fine an entity for this kind of slop – failing to fix a problem after being notified.

Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations. MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached. “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.” MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.” The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html SOURCE: HHS Previous coverage of the incidents referenced in this case can be found on DataBreaches.net here. 

Kanye West Hospital Records Breached, May Lead To UCLA Medical Center Firings

Shari Weiss reports: … It’s said that over the course of his stay, an unknown number of staffers tried to gain illegal access to West’s electronic medical records. Of course, like with every patient, they were to be protected by HIPAA, a law that mandates private health information only be shared with those who have been officially granted access, known as “covered entities.” In this case, it’s believed that UCLA employees who did not fall within that category are now under investigation for their improper behavior. TMZ, which broke the news, claims “several dozen people have been or will be fired.” Read more on GossipCop. Gee, the sites I have to read to bring you all the news on medical privacy breaches….

The Outer Banks Hospital alerts former Eastern Carolina Cardiovascular patients of lost identity and medical info

Another entry for the “Why is this still happening in 2016?” collection. Think long and hard – and then think harder – about whether you should be using thumb drives to transfer unencrypted protected health information. Rob Morris reports: Personal data for patients over a period of 12 years might be at risk after two thumb drives went missing during the transfer of computer files from Eastern Carolina Cardiovascular to The Outer Banks Hospital. Read more on The Outer Banks Voice. It sounds like the hospital is responsible for this one: “The Outer Banks Hospital recently acquired certain assets of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular P.A.,” a hospital statement released Friday said. “We moved those assets on June 20-21, to The Outer Banks Hospital. On June 22, 2016, we discovered that two flash drives containing patient information went missing. So who decided transfer by thumb drive was a secure method for transmitting PHI? And why weren’t the data at least encrypted if you were using thumb drives? The following statement by the hospital suggests that someone may not have followed policy or procedure: Data Privacy Event Affects Cardiopulmonary Rehabilitation Patients Written By  Amy Montgomery, The Outer Banks Hospital  on  Aug. 19, 2016 Nags Head, NC – The Outer Banks Hospital is providing notice of a recent data event that may have compromised the security of personal information relating to current and former patients who received treatment at the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular, P.A., located in Kitty Hawk, NC, from 2004 until June of 2016. The Outer Banks Hospital recently acquired certain assets of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular, P.A. We moved those assets on June 20-21, to The Outer Banks Hospital. On June 22, 2016, we discovered that two flash drives containing patient information went missing. We immediately began working diligently to investigate and to mitigate the potential impact of this incident to determine whether any sensitive information was affected. While there is no indication the information has been misused, we determined that current and former patient information was located on one or both of the flash drives, and we are providing written notice to those individuals for whom we have contact information. The flash drives may have contained the following categories of information: Social Security number, emergency contact number, mental health information, insurance ID number, diagnosis, health history information, patient account number, medical record number, referring physician name, and demographic information. “This is not consistent with our privacy practices, and we are truly sorry that it occurred,” said Ronnie Sloan, president of The Outer Banks Hospital. “Be assured that we do have policies and procedures in place to allow for appropriate action in response to the inappropriate use, access, or disclosure of our patient’s medical information, and that we have taken steps to address this matter.” As part of The Outer Banks Hospital’s commitment to the security of personal information, third-party forensic investigators have been brought in to help investigate the incident and the hospital began notifying affected patients by mail on Tuesday, August 16, 2016. As the investigation into potentially affected patients continues, the hospital expects to identify and send letters to the remaining patients whose addresses are on file within the next few weeks. As an additional precaution, The Outer Banks Hospital is offering affected individuals access to one (1) year of free credit monitoring and identity theft restoration services. The Outer Banks Hospital has established a dedicated assistance line for individuals to ask questions or learn additional information regarding this incident. Individuals can reach this assistance line by calling 1-866-775-4209. If you believe you may have been affected, but did not receive a letter, please contact this assistance line. The Outer Banks Hospital encourages patients who believe they may be affected by this incident to remain vigilant by reviewing their account statements and monitoring free credit reports for suspicious activity. At no charge, an individual can also have these credit bureaus place a “fraud alert” on their file that alerts creditors to take additional steps to verify their identity prior to granting credit in their name. The contact information for the major consumer reporting agencies is below: Equifax P.O. Box 105069 Atlanta, GA 30348 800-525-6285 www.equifax.com Experian P.O. Box 2002 Allen, TX 75013 888-397-3742 www.experian.com TransUnion P.O. Box 2000 Chester, PA 19022 800-680-7289 www.transunion.com Individuals can obtain information about fraud alerts, preventing identify theft, and the steps they can take to protect themselves, by contacting the Federal Trade Commission or their state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh NC 27699-9001; (919) 716-6400; and www.ncdoj.gov. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.ftc.gov/idtheft/; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Patients of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular, P.A., can find information about the steps to take if they believe their information may be affected at https://www.theouterbankshospital.com/. The number of patients being notified was not disclosed in the statement or local media report. This post will be updated when the number is revealed. Update: This incident was subsequently reported to HHS as affecting 1,000 patients.

OR: Break-in at North Lincoln County Community Health Center Clinic

Here’s one I missed last week, from The NEWSGuard:  “It feels really not good and it is a violating feeling to have someone break into your clinic,” said Gretchen Gantz, HIPAA Privacy and Security Officer for Lincoln County Health and Human Services. Her statement follows the break-in of the North Lincoln County Community Health Center Clinic at 4422 N.E. Devils Lake Blvd., in Lincoln City. “Plus we now have the added expenses of having to replace things that are grant funded. We run on a shoestring budget, so it is hard when you have a hit like that,” said Gantz. During the evening of April 17, the Clinic and surrounding offices in the same building, were broken into by an unknown person or persons, according to a release from Casey Miller, Lincoln County public information officer. Locked doors, rooms and cabinets were forcibly entered. Money was taken from the clinic, but it appears no other records or materials were removed. No electronic devices were taken or accessed. However, the locked room which contains medical charts for clients was breached. These files contain protected health information and may also contain information such as social security numbers and personal financial information. Lincoln County has identified and notified the clients whose protected health information and personal information was in those files. “In accordance with law and standard practices in these situations we are notifying clients of this breach of our security because this information potentially could be compromised, ” said Casey. “The charts have been secured and security at the clinic is being enhanced. At this time, there is no evidence to suggest that there was an attempt to obtain or use any protected health or personal information.” Read more on The NEWSGuard. h/t, HealthITSecurity.com, who also report on a breach at Gulf Breeze Family Eyecare, Inc. in the same article.

PA: HHS opens investigation into closed Monsour Medical Center

Richard Gazarik reports: Federal officials are investigating how patient records loaded with intimate medical details and doctors’ personnel files were abandoned amid the ruins of Monsour Medical Center when its administrators walked away from the failing facility six years ago. The records, in easy reach of the vagrants, arsonists and other trespassers who frequent the condemned building, were uncovered this week when Jeannette city attorney Scott Avolio inspected parts of the trash-filled complex with a Tribune-Review reporter and photographer. Read more on TribLive. This is not the first time we’ve heard of records just abandoned at a hospital, of course. Previous similar situations (some of which were covered on this blog) include NHS Tayside, Strathmartine,  NHS Lanarkshire, and more recently, Belfast Health and Social Care (BHSC) Trust in the U.K., and Greater Detroit Hospital in the U.S., who paid civil penalties to Michigan. Patient records were also found at Forest Haven asylum in D.C. and Dolly Vinsant Hospital in Texas years after they were abandoned.

The Neurological Institute of Savannah and Center for Spine notifies over 63,000 that drive stolen from an employee's car contained their SSN

Here we go…. again. A notice on the home page of The Neurological Institute of Savannah and Center for Spine in Georgia reads: PUBLIC NOTICE: THEFT OF PERSONAL INFORMATION If you were a patient between January 1, 2006 – July, 2, 2011, we want you to know that a computer hard drive was stolen recently that may have contained some of your personal information. Click here to read more on steps we recommend to secure your identity. Clicking on the link leads to a notice that says: PUBLIC NOTICE: THEFT OF PERSONAL INFORMATION On July 2, 2011, patient identifying information was stolen from the car of an employee of Neurological Institute of Savannah & Center for Spine (“NIOS”). If you were a NIOS patient between January 1, 2006 – July, 2, 2011, the stolen drive may have contained your name, social security number, address, date of birth, telephone number, and billing account data. Credit card numbers and medical record were not on the drive. Although parts of the data were encrypted, password protected and randomly stored, there is a possibility your data could be accessed by an unauthorized individual. We have not received any specific information to indicate your information has been used inappropriately. Police believe the thief was looking for items such as cash, laptops or equipment that the thief could easily sell and the thief likely was not trying to steal data. However, for your protection, you should contact any of the following three credit agencies immediately to place a fraud alert on your credit report: Equifax: 1-800-525-6285; www.equifax.com; P. O. Box 105069, Atlanta, GA. 30348-5069. Experian: 1-888-397-3742; www.experian.com; P. O. Box 9532, Allen, TX. 75013. TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P. O. Box 6790, Fullerton, CA 92834-6790. You should also obtain a copy of a free credit report from www.annualcreditreport.com and examine it closely for signs of fraud – such as a credit account that is not yours. You should check your credit reports periodically and closely monitor your credit card and bank statements. You should generally be alert to any irregularities in your financial data. You should report to police any problems immediately. We have reported this event to the local police and are working with them to identify the thief. We are attempting to recover the items taken. We have also modified our security procedures to eliminate any loss or potential breach of this nature in the future. Please know that The Neurological Institute of Savannah & Center for Spine is committed to protecting the confidentiality, security and integrity of your protected health information and sincerely apologizes for the inconvenience this situation may have caused you. If you have other questions please contact us through our toll free hotline at 1-888-613-3688 or by letter to Neurological Institute of Savannah, Attn: Privacy Officer, P.O. Box 15112 Savannah, Georgia 31416. According to their notification to HHS, the breach affected 63,425 patients. So what were 5-year old data doing on a drive in an employee’s car? Even granting that this was likely an opportunistic theft, what was the drive doing in what was presumably an unattended vehicle? Can patients really believe that their providers take confidentiality and security seriously if drives with unencrypted data are being left in cars?

HHS web site reveals three new breaches

Today’s update to the HHS breach tool web site records some breaches we already knew about but also some other breaches we did not know about through the usual media sources: California Therapy Solutions in California reported that 1,226 patients had protected health information on a stolen device. The theft occurred on November 15. As of the time of this posting, there is no notice on their web site. Osceola Medical Center in Wisconsin reported that a hack involving the server of Hils Transcription Service on November 25th exposed the protected health information of 500 patients. There is no statement on either web site at the time of this posting. Ironically, Hils’ site prominently states on its home page, “Our internet servers are secure and HIPAA compliant.” Hmmm. The International Union of Operating Engineers Health and Welfare Fund in Maryland reported that papers containing PHI on 800 individuals were stolen from Zenith Administrators, Inc, its third party employee benefit program administrator, on November 3. I cannot find any press coverage or statements on either web site at this time. Finally, as small notes/updates on previously reported breaches: The OhioHealth/Grant Medical Center breach reportedly affected 501 patients. Until now, we did not have a number for that one. The Centra breach was reported to HHS as affecting 11,982. According to HHS’s logs, the theft occurred on November 12. Since the new reporting requirements of HITECH went into effect on September 23, 2009, HHS has recorded 225 breaches affecting 500 individuals or more. Breaches affecting fewer than 500 individuals are reported to HHS but not revealed on a public web site.