Data breach incident December 2015 involving stolen OHSU hard drive 02/10/16 Portland, Ore. On December 6, 2015, an OHSU research student’s car was broken into and a hard drive was stolen. The hard drive may have contained health information about Neonatal Intensive Care Unit patients admitted to the unit in 2013 who were enrolled in a research study about the potential effect of aminoglycoside antibiotics on hearing. The information included the patient’s full name, date of birth, medical record number, diagnosis, doctors name, and some clinical information related to the research. The information did not include address, phone number, any insurance information, social security number, or other identifiers that we believe would result in financial harm to patients or their families. Patient contact information, address or other identifiers were not included. OHSU takes the privacy of patient information very seriously and has extensive policies and procedures in place to protect patient information, including annual training for our employees to ensure they are aware of their responsibility to protect patient information. If you think your child may have been part of the study, more information is available at the following toll-free number: 844-243-8390. SOURCE: ohsu.edu Note: OHSU has had repeated incidents involving the theft of unencrypted patient information (cf, this post for a recap of some previous incidents). HHS’s public breach tool lists four incidents since HITECH went into effect (although not all involved stolen devices). Not one of those four incidents shows any post-investigation summary. Will this be the time OCR cracks down on OHSU? This incident is not up on HHS’s public breach tool (yet), so we don’t know how many were affected in this latest incident.
Oregon Health & Science University is notifying 3,044 patients that their OHSU health information was stored on an Internet-based email and/or document storage service, also known as a “cloud” computing system. Although the Internet-based service provider (Google Drive, Google Mail) is password-protected and has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information. There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. However, the terms of service indicate the data stored with the Internet-based provider can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.” OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes. Consequently, OHSU is notifying all affected patients. In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients. Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division. Upon learning of the incident, OHSU Information Privacy and Security experts undertook an extensive investigation to determine what information was stored on the Internet-based service, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved. This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, the privacy and security experts discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected. The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data. The data DID NOT include the patient’s Social Security Number, insurance information, credit card information, bank information, phone number or date of birth. “We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients. We sincerely apologize for any inconvenience or worry this may cause our patients or their families,” said John Rasmussen, OHSU’s Chief Information Security Officer. All OHSU patient health information found on the Internet-based service has been removed, and all residents have been re-educated about the critical importance of using OHSU-approved tools for securely sharing and updating patient information.” A 1-800-number has been established to answer patient questions and concerns. That number is 877 819-9774. The hotline will be staffed Monday through Friday, 6 a.m.to 6 p.m. Letters were sent to affected patients July 26, 2013. SOURCE: Oregon Health & Science University Note that this is OHSU’s fifth breach that I’ve reported on this blog since 2008: In December 2008, they notified 890 patients whose PHI was on a laptop stolen from an employee attending a conference in Chicago; In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home (subscription and login required) In July 2012, more than 14,000 pediatric patients and 200 employees had data on a USB drive stolen in a home burglary; and In March 2013, they reported that more than 4,000 patients had PHI on a laptop stolen from a researcher’s rental home.
As I read coverage around the internet, I saw a few reports on the recent OSHU breach that mentioned it was OHSU’s third reported HIPAA breach since 2009. Actually, it’s only the second breach that will appear on HHS’s breach tool, but it’s important to note that this was OHSU’s fourth HIPAA breach that we know about since 2008. And disturbingly, all four of them involved stolen devices with unencrypted patient information: In December 2008, OHSU notified 890 patients that a laptop stolen from a hotel where an employee was staying on business might contain patient records. In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home. In July 2012, OHSU disclosed that 14,495 names and addresses with 14,300 dates of birth, phone numbers, medical numbers, 195 Social Security numbers and vaccination information were on a USB drive stolen from an employee’s home. OHSU only notified 702 of those affected, primarily those whose records “referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed.” And now, OHSU is notifying 4,022 patients whose information was on a researcher’s laptop stolen from a vacation rental home. The question seems obvious: what the hell will it take before OHSU encrypts all devices? At what point do we – and HHS – say “enough is enough” and this is just downright negligent or failure to learn from experience? Maybe the doctor who left the laptop in the car violated protocols, but if the data had been encrypted, there wouldn’t have been a reportable breach. Maybe the employee who accidentally took the USB drive home made a mistake, but if the data had been encrypted, there wouldn’t have been a reportable breach. And maybe if OHSU had a policy of encrypting devices used for research purposes, the most recent laptop theft wouldn’t have been a reportable incident. Approximately 20,000 people had their protected health information needlessly exposed and stolen because OHSU didn’t – and doesn’t – encrypt all devices containing PHI. HHS has seemingly not closed its investigation of the July 2012 reported incident. The newest incident hasn’t even been added to their breach tool yet. But because HHS does not have records on the 2008 and 2009 incidents, they are likely to miss the big picture – that OHSU has had repeated and easily avoidable breaches. And that’s a shame.
Today’s update to HHS’s breach tool included a number of incidents that I had not known about: Servicios Medicos Integrados de Fajardo in Puerto Rico reported that T & P Consulting, Inc. d/b/a Quantum Health Consulting reported lost device(s) with PHI on 10,000. The incident occurred on January 11, 2012, and I had already entered this in DataLossDB.org, except… that HHS has two entries for this breach, both dated January 11, 2012. The first one, already included in HHS’s breach tool and DataLossDB.org, involved a report of a stolen laptop with information on 36,609. Today’s addition to the breach list refers to the loss of an electronic device with information on 10,000. Was more than one device involved in the incident? Columbia University Medical Center and NewYork-Presbyterian Hospital reported that 4,929 patients had PHI on a stolen desktop computer. The theft from a locked office occurred sometime between October 12, 2012 and October 15, 2012. I was able to find a privacy alert still on their website and a press release. CenterLight Healthcare in New York reported that 642 patients had PHI disclosed in an email incident on January 27, 2012. I was unable to locate additional information on this one. Wyatt Dental Group in Louisiana reported what sounds like an insider breach affecting 10,271 patients. According to the log entry, the breach occurred between November 4, 2011 and April 15, 2012 and involved ,”Theft, Unauthorized Access/Disclosure”,Electronic Medical Record.” I was able to locate their attorneys’ report with the Maryland Attorney General’s Office, which confirms this was an insider breach. The dental group learned of it on July 19, 2012 from the Louisiana State Police. The Arkansas Department of Finance and Administration, Employee Benefits Division reported that 7,039 employees were affected by a breach at Health Advantage that occurred in October 2012. The incident involved paper records, and Health Advantage separately reported the breach as affecting 2,863. In addition to Arkansas DFA, Baptist Health System in Arkansas reported that 811 of their patients were affected by the incident. Titus Regional Medical Center in Texas reported that 5,700 patients affected by an incident involving a laptop on March 27, 2012. In checking my records, I see that Titus Regional Medical Center had reported a theft on March 29, 2012 that affected 500 patients. That report does not indicate the location of the data. This newly added report describes the incident as “loss, other” of a laptop, so I’m not sure if these two reports are part of the same incident or not, or if one of them refers to the laptop that may have fallen off a fender. The University of New Mexico Health Sciences Center reported that 2,365 patients had PHI on a server that was hacked on May 21, 2012. I haven’t found any additional details on this one yet. Pousson Family Dentistry in Louisiana reported that 1,400 patients – including Dr. Pousson himself – had PHI on a laptop stolen on December 3, 2012. I was able to locate a copy of their notification letter dated December 18, 2012. Original Medicine Acupuncture & Wellness, LLC of New Mexico reported that 540 patients had PHI on laptops stolen in an office burglary on September 7, 2012. I was able to locate a copy of their media notice. The Visiting Nurse Services of Iowa reported that 1,298 patients had PHI on stolen paper records. I was unable to locate any additional details. The University of Nevada School of Medicine notified 1,483 patients whose PHI were on records that were accidentally disposed of on October 11, 2012 instead of being shredded. I was able to locate their notice about the breach. The County of San Bernardino Department of Public Health in California reported that 1,370 patients had PHI on records involved in a breach that occurred between September 28, 2012 to September 30, 2012 involving “Unauthorized Access/Disclosure,Paper.” I was unable to locate any notice for this breach. AccentCare Home Health of California, Inc. reported 1,000, patients had PHI in a breach involving e-mail that occurred in April 2012. I was unable to find any details on this breach, either. Molalla Family Dental in Oregon reported that 4,354 patients had PHI involved in a hacking incident on May 17, 2012. I was able to locate some media coverage of the breach and this reference to a “back-door portal.” Rob Meaglia, DDS reported 1,400 patients had PHI on a desktop computer stolen during an office burglary on December 16. I’ll have more to say about this incident in a separate post this week, but here’s his notification letter to patients. The Wyoming Department Of Health reported that 11,935 had PHI involved in an October 16, 2013 incident involving “Unauthorized Access/Disclosure,Network Server.” I was able to locate their notice on their website that explained that this was an exposure incident affecting the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) Program. Terrell County Health Department in Georgia reported that 18,000 had PHI involved in an incident that occurred January 9, 2012 to April 17, 2012 involving “Unauthorized Access/Disclosure,Network Server.” I’ve been unable to find any details on this breach, but with 18,000 affected, I’m surprised that I never saw this in the news. Florida Healthy Kids Corporation reported that a breach involving DentaQuest of Florida, LLC affected 3,667. The breach occurred November 1, 2012 – December 20, 2012 and involved “Unauthorized Access/Disclosure,Paper.” I was unable to locate any documentation on the incident. Coastal Home Respiratory, LLP in Georgia reported that 3,440 patients had their data stolen on October 4, 2012. Well, I think it was stolen. The HHS log reports it as “Theft,Other” but I can find no documentation on the incident. Miami Beach Healthcare Group LTD dba Aventura Hospital and Medical Center in Florida reported 2,560 patients had PHI stolen from their EMR between January 1, 2012 and September 12, 2012. Here is the hospital’s statement. I’m surprised there wasn’t more coverage of this or that I missed this one. Baptist Health System in Alabama reported that 1,655 had PHI on paper records disposed of improperly on […]
An update to HHS’s breach tool this week adds 16 more incidents to their counter, although two of the entries appear to be for the same incident. Significantly, the list includes yet another Florida hospital report of theft of patient data, presumably for tax refund fraud or other fraud. In this case, though, it was not an employee of the hospital but an employee of a vendor. And once again, it seems, the hospital did not detect any problem until law enforcement alerted them. Some of the incidents were previously noted in the media, on this blog, or on DataLossDB.org. For those, I’m simply adding notes as to what, if anything, we learned from the report to HHS that we didn’t previously know: Oregon Health & Science University: the laptop stolen from a surgeon’s rental home reportedly contained PHI on 1,114. In March, OHSU had indicated that more than 4,000 were affected. WA Department of Social and Health Services Shands Jacksonville Medical Center, Inc. University of Florida Hospice and Palliative Care Center of Alamance Caswell Texas Tech Unversity Health Sciences Center University of Mississippi Medical Center: the lost or missing laptop may have been missing as early as November 1, 2012. The center detected its loss on January 22. Mid America Health, PrevMED: Strangely, this breach is first appearing on HHS’s breach tool now even though the incident occurred in April 2012 and in June 2012, MAH notified Maryland that it was notifying HHS. Glens Falls Hospital, Portal Healthcare Solutions The following are incidents that I didn’t already know about: John J. Pershing VA Medical Center in Missouri reported that 589 patients were affected by a paper records breach on February 20. A statement linked from the home page of their web site explains: During a routine inspection, staff from the John J. Pershing VA Medical Center in Poplar Bluff recently discovered a box in an unoccupied equipment storage room; a box that contained personally identifiable information. The information, including social security numbers, concerned approximately 580 Veteran patients at the medical center. Though there is no indication the information was accessed or used by unauthorized personnel, the medical center is taking no chances. “The room was generally kept locked with only staff or contractors having access, but we cannot be absolutely certain the storage area was completely secure at all times, so we are notifying Veterans who could be affected,” noted Medical Center Director and CEO, Marj Hedstrom. “Every Veteran whose name was contained in the box will receive a letter of notification and, where appropriate, an offer of credit monitoring for one year at no charge.” Texas Health Care, P.L.L.C. reported that 554 were affected by breach on March 10 involving “theft, paper.” No statement appears on the practice’s web site and I can find no substitute notice or press release about the breach in online sources I searched. An email inquiry was sent to the practice but received no response by the time of this publication.. Lake Granbury Medical Center in Texas reported that 502 patients were affected by a breach on February 13 involving “Theft,Paper.” There does not appear to be any statement on their web site, and again, I could find no substitute notice available online. Carpenters Health & Welfare Trust Fund for California reported that its business associate, QuickRunner, Inc. (dba RoadRunner Mailing Services experienced a breach involving paper records that affected 2,400 on March 11 and March 12. Neither entity appears to have a substitute notice on their respective web sites, and I can find no media coverage at the time of this publication. Mount Sinai Medical Center in Florida reported that 628 patients were notified of a breach that seemingly occurred over a period of months. Curiously, the report on HHS’s breach tool did not include any mention of the business associate, even though it was employee of a vendor who reportedly stole patient information. A statement on the medical center’s web site explains: At Mount Sinai Medical Center, we take our commitment to patient privacy very seriously, and we work diligently to ensure the security of our patients’ confidential information. Regrettably, this notification concerns an incident related to that information. On February 28, 2013, we learned from local law enforcement that an employee of a contracted vendor of the Medical Center may have accessed patient information inappropriately from October 2012 to February 2013. Upon learning this information, we conducted an investigation and began fully cooperating with law enforcement authorities. The suspect has been arrested. Our investigation confirms that the information involved includes patient names, dates of birth, Social Security numbers, and addresses. A second group of information includes patient names, addresses, bank account numbers, and routing numbers. While a patient’s information may have been exposed, it does not mean that it was misused. The incident did not affect any patients’ medical records, medical treatment or Mount Sinai billing accounts. We began mailing letters to affected patients on March 15, 2013. We have also set up a call center with a toll-free help line for all patients who have questions. The phone number is 1-877-282-6407. The call center is staffed weekdays from 9 am until 7 pm eastern time. Also, if you have concerns about this situation and have not received a letter from us by March 29, 2013, please call the help line with your questions. We deeply regret any inconvenience or concern this event may cause. We are in the process of undergoing a comprehensive review of our security policies and practices to help prevent a similar incident from occurring in the future. Thomas L. Davis, Jr. DDS of Oregon reported that 3,269 patients were notified of a breach in February involving EMRs and a desktop computer. Dr. Davis does not appear to have a web site and I can find no press release or substitute notice about the breach by the time of this publication.