This post provides substitute breach notification to one patient Oregon Health & Science University could not otherwise directly notify

Federal regulations requjire substitute notice when notification by postal mail or other direct means cannot be made, but I cannot recall ever seeing a substitute notice that announced it was only being made for one particular patient. The following was published by the Oregon Health & Science University: On May 16, 2022, a computer belonging to a workforce member was stolen. The device contained a document with the patient’s health information including: the patient’s full name, age, diagnoses, condition, lab results, medications and other treatment information. The disclosed information did not include the patient’s financial information, date of birth, or social security number. Despite exhausting all possible contact options, OHSU was unable to directly notify this patient due to out-of-date contact information (no known home address, phone number, email address, and MyChart account not activated). The impacted patient received services from OHSU during the period of May 2020 to June 2020. Please contact the OHSU Information Privacy and Security Office at 503-494-0219 or [email protected] if you have any questions about this post.

Stolen Oregon Health & Science University hard drive contained babies’ protected health information

Data breach incident December 2015 involving stolen OHSU hard drive 02/10/16  Portland, Ore. On December 6, 2015, an OHSU research student’s car was broken into and a hard drive was stolen. The hard drive may have contained health information about Neonatal Intensive Care Unit patients admitted to the unit in 2013 who were enrolled in a research study about the potential effect of aminoglycoside antibiotics on hearing. The information included the patient’s full name, date of birth, medical record number, diagnosis, doctors name, and some clinical information related to the research. The information did not include address, phone number, any insurance information, social security number, or other identifiers that we believe would result in financial harm to patients or their families. Patient contact information, address or other identifiers were not included. OHSU takes the privacy of patient information very seriously and has extensive policies and procedures in place to protect patient information, including annual training for our employees to ensure they are aware of their responsibility to protect patient information. If you think your child may have been part of the study, more information is available at the following toll-free number: 844-243-8390. SOURCE: Note: OHSU has had repeated incidents involving the theft of unencrypted patient information (cf, this post for a recap of some previous incidents). HHS’s public breach tool lists four incidents since HITECH went into effect (although not all involved stolen devices). Not one of those four incidents shows any post-investigation summary. Will this be the time OCR cracks down on OHSU? This incident is not up on HHS’s public breach tool (yet), so we don’t know how many were affected in this latest incident.

Oregon Health & Science University notifies patients of ‘cloud’ health information storage

Oregon Health & Science University is notifying 3,044 patients that their OHSU health information was stored on an Internet-based email and/or document storage service, also known as a “cloud” computing system. Although the Internet-based service provider (Google Drive, Google Mail) is password-protected and has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information. There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. However, the terms of service indicate the data stored with the Internet-based provider can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.” OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes. Consequently, OHSU is notifying all affected patients. In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients. Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division. Upon learning of the incident, OHSU Information Privacy and Security experts undertook an extensive investigation to determine what information was stored on the Internet-based service, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved. This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, the privacy and security experts discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected. The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data. The data DID NOT include the patient’s Social Security Number, insurance information, credit card information, bank information, phone number or date of birth. “We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients. We sincerely apologize for any inconvenience or worry this may cause our patients or their families,” said John Rasmussen, OHSU’s Chief Information Security Officer. All OHSU patient health information found on the Internet-based service has been removed, and all residents have been re-educated about the critical importance of using OHSU-approved tools for securely sharing and updating patient information.” A 1-800-number has been established to answer patient questions and concerns. That number is 877 819-9774. The hotline will be staffed Monday through Friday, 6 6 p.m. Letters were sent to affected patients July 26, 2013. SOURCE: Oregon Health & Science University Note that this is OHSU’s fifth breach that I’ve reported on this blog since 2008: In December 2008, they notified 890 patients whose PHI was on a laptop stolen from an employee attending a conference in Chicago; In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home (subscription and login required) In July 2012, more than 14,000 pediatric patients and 200 employees had data on a USB drive stolen in a home burglary; and In March 2013, they reported that more than 4,000 patients had PHI on a laptop stolen from a researcher’s rental home.  

Recent Oregon Health & Science University breach was their fourth breach involving unencrypted information

As I read coverage around the internet, I saw a few reports on the  recent OSHU breach that mentioned it was OHSU’s third reported HIPAA breach since 2009.  Actually, it’s only the second breach that will appear on HHS’s breach tool, but it’s important to note that this was OHSU’s fourth HIPAA breach that we know about since 2008. And disturbingly, all four of them involved stolen devices with unencrypted patient information: In December 2008, OHSU notified 890 patients that a laptop stolen from a hotel where an employee was staying on business might contain patient records. In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home. In July 2012, OHSU disclosed that 14,495 names and addresses with 14,300 dates of birth, phone numbers, medical numbers, 195 Social Security numbers and vaccination information were on a USB drive stolen from an employee’s home. OHSU only notified 702 of those affected, primarily those whose records “referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed.” And now, OHSU is notifying 4,022 patients whose information was on a researcher’s laptop stolen from a vacation rental home. The question seems obvious: what the hell will it take before OHSU encrypts all devices? At what point do we – and HHS – say “enough is enough” and this is just downright negligent or failure to learn from experience? Maybe the doctor who left the laptop in the car violated protocols, but if the data had been encrypted, there wouldn’t have been a reportable breach.  Maybe the employee who accidentally took the USB drive home made a mistake, but if the data had been encrypted, there wouldn’t have been a reportable breach.  And maybe if OHSU had a policy of encrypting devices used for research purposes, the most recent laptop theft wouldn’t have been a reportable incident. Approximately 20,000 people had their protected health information needlessly exposed and stolen because OHSU didn’t – and doesn’t – encrypt all devices containing PHI. HHS has seemingly not closed its investigation of the July 2012 reported incident. The newest incident hasn’t even been added to their breach tool yet. But because HHS does not have records on the 2008 and 2009 incidents, they are likely to miss the big picture – that OHSU has had repeated and easily avoidable breaches. And that’s a shame.  

HHS updates breach tool, Part 2: it's news to me

Today’s update to HHS’s breach tool included a number of incidents that I had not known about: Servicios Medicos Integrados de Fajardo in Puerto Rico reported that T & P Consulting, Inc. d/b/a Quantum Health Consulting reported lost device(s) with PHI on 10,000. The incident occurred on January 11, 2012, and I had already entered this in, except… that HHS has two entries for this breach, both dated January 11, 2012. The first one, already included in  HHS’s breach tool and, involved a report of a stolen laptop with information on 36,609. Today’s addition to the breach list refers to the loss of an electronic device with information on 10,000. Was more than one device involved in the incident? Columbia University Medical Center and NewYork-Presbyterian Hospital reported that 4,929 patients had PHI on a stolen desktop computer. The theft from a locked office occurred sometime between October 12, 2012 and October 15, 2012. I was able to find a privacy alert still on their website and a press release. CenterLight Healthcare in New York reported that 642 patients had PHI disclosed in an email incident on January 27, 2012. I was unable to locate additional information on this one. Wyatt Dental Group in Louisiana reported what sounds like an insider breach affecting 10,271 patients. According to the log entry, the breach occurred between November 4, 2011 and April 15, 2012 and involved ,”Theft, Unauthorized Access/Disclosure”,Electronic Medical Record.” I was able to locate their attorneys’ report with the Maryland Attorney General’s Office, which confirms this was an insider breach. The dental group learned of it on July 19, 2012 from the Louisiana State Police. The Arkansas Department of Finance and Administration, Employee Benefits Division reported that 7,039 employees were affected by a breach at Health Advantage that occurred in October 2012. The incident involved paper records, and Health Advantage separately reported the breach as affecting 2,863. In addition to Arkansas DFA, Baptist Health System in Arkansas reported that 811 of their patients were affected by the incident. Titus Regional Medical Center in Texas reported that 5,700 patients affected by an incident involving a laptop on March 27, 2012. In checking my records, I see that Titus Regional Medical Center had reported a theft on March 29, 2012 that affected 500 patients. That report does not indicate the location of the data. This newly added report describes the incident as “loss, other” of a laptop, so I’m not sure if these two reports are part of the same incident or not, or if one of them refers to the laptop that may have fallen off a fender. The University of New Mexico Health Sciences Center reported that 2,365 patients had PHI on a server that was hacked on May 21, 2012.  I haven’t found any additional details on this one yet. Pousson Family Dentistry in Louisiana reported that 1,400 patients – including Dr. Pousson himself – had PHI on a laptop stolen on December 3, 2012. I was able to locate a copy of their notification letter dated December 18, 2012. Original Medicine Acupuncture & Wellness, LLC of New Mexico reported that 540 patients had PHI on laptops stolen in an office burglary on September 7, 2012. I was able to locate a copy of their media notice. The Visiting Nurse Services of Iowa reported that 1,298 patients had PHI on stolen paper records. I was unable to locate any additional details. The University of Nevada School of Medicine notified 1,483 patients whose PHI were on records that were accidentally disposed of on October 11, 2012 instead of being shredded. I was able to locate their notice about the breach. The County of San Bernardino Department of Public Health in California reported that 1,370 patients had PHI on records involved in a breach that occurred between September 28, 2012 to September 30, 2012 involving “Unauthorized Access/Disclosure,Paper.” I was unable to locate any notice for this breach. AccentCare Home Health of California, Inc.  reported 1,000, patients had PHI in a breach involving e-mail that occurred in April 2012. I was unable to find any details on this breach, either. Molalla Family Dental in Oregon reported that 4,354 patients had PHI involved in a hacking incident on May 17, 2012. I was able to locate some media coverage of the breach and this reference to a “back-door portal.” Rob Meaglia, DDS reported 1,400 patients had PHI on a desktop computer stolen during an office burglary on December 16. I’ll have more to say about this incident in a separate post this week, but here’s his notification letter to patients. The Wyoming Department Of Health reported that 11,935 had PHI involved in an October 16, 2013 incident involving “Unauthorized Access/Disclosure,Network Server.” I was able to locate their notice on their website that explained that this was an exposure incident affecting the Special Supplemental Nutrition Program for Women, Infants and Children (WIC) Program. Terrell County Health Department in Georgia reported that 18,000 had PHI involved in an incident that occurred January 9, 2012 to April 17, 2012 involving “Unauthorized Access/Disclosure,Network Server.” I’ve been unable to find any details on this breach, but with 18,000 affected, I’m surprised that I never saw this in the news. Florida Healthy Kids Corporation reported that a breach involving DentaQuest of Florida, LLC affected 3,667. The breach occurred November 1, 2012 – December 20, 2012 and involved “Unauthorized Access/Disclosure,Paper.”  I was unable to locate any documentation on the incident. Coastal Home Respiratory, LLP in Georgia reported that 3,440 patients had their data stolen on October 4, 2012. Well, I think it was stolen. The HHS log reports it as “Theft,Other” but I can find no documentation on the incident. Miami Beach Healthcare Group LTD dba Aventura Hospital and Medical Center in Florida reported 2,560 patients had PHI stolen from their EMR between January 1, 2012 and September 12, 2012.  Here is the hospital’s statement. I’m surprised there wasn’t more coverage of this or that I missed this one. Baptist Health System in Alabama reported that 1,655 had PHI on paper records disposed of improperly on […]

Updates to HHS's breach tool includes yet another Florida hospital whose patient data were stolen

An update  to HHS’s breach tool this week adds 16 more incidents to their counter, although two of the entries appear to be for the same incident. Significantly, the list includes yet another Florida hospital report of theft of patient data, presumably for tax refund fraud or other fraud. In this case, though, it was not an employee of the hospital but an employee of a vendor. And once again, it seems, the hospital did not detect any problem until law enforcement alerted them.  Some of the incidents were previously noted in the media,  on this blog, or on For those, I’m simply adding notes as to what, if anything, we learned from the report to HHS that we didn’t previously know: Oregon Health & Science University: the laptop stolen from a surgeon’s rental home reportedly contained PHI on 1,114. In March, OHSU had indicated that more than 4,000 were affected. WA Department of Social and Health Services Shands Jacksonville Medical Center, Inc. University of Florida  Hospice and Palliative Care Center of Alamance Caswell Texas Tech Unversity Health Sciences Center  University of Mississippi Medical Center: the lost or missing laptop may have been missing as early as November 1, 2012. The center detected its loss on January 22. Mid America Health, PrevMED: Strangely, this breach is first appearing on HHS’s breach tool now even though the incident occurred in April 2012 and in June 2012, MAH notified Maryland that it was notifying HHS. Glens Falls Hospital, Portal Healthcare Solutions The following are incidents that I didn’t already know about: John J. Pershing VA Medical Center in Missouri reported that 589 patients were affected by a paper records breach on February 20. A statement linked from the home page of their web site explains: During a routine inspection, staff from the John J. Pershing VA Medical Center in Poplar Bluff recently discovered a box in an unoccupied equipment storage room; a box that contained personally identifiable information. The information, including social security numbers, concerned approximately 580 Veteran patients at the medical center. Though there is no indication the information was accessed or used by unauthorized personnel, the medical center is taking no chances. “The room was generally kept locked with only staff or contractors having access, but we cannot be absolutely certain the storage area was completely secure at all times, so we are notifying Veterans who could be affected,” noted Medical Center Director and CEO, Marj Hedstrom. “Every Veteran whose name was contained in the box will receive a letter of notification and, where appropriate, an offer of credit monitoring for one year at no charge.” Texas Health Care, P.L.L.C. reported that 554 were affected by breach on March 10 involving “theft, paper.” No statement appears on the practice’s web site and I can find no substitute notice or press release about the breach in online sources I searched. An email inquiry was sent to the practice but received no response by the time of this publication.. Lake Granbury Medical Center in Texas reported that 502 patients were affected by a breach on February 13 involving “Theft,Paper.” There does not appear to be any  statement on their web site, and again, I could find no substitute notice available online. Carpenters Health & Welfare Trust Fund for California reported that its business associate, QuickRunner, Inc. (dba RoadRunner Mailing Services experienced a breach involving paper records that affected 2,400 on March 11 and March 12.  Neither entity appears to have a substitute notice on their respective web sites, and I can find no media coverage at the time of this publication. Mount Sinai Medical Center in Florida reported that 628 patients were notified of a breach that seemingly occurred over a period of months. Curiously, the report on HHS’s breach tool did not include any mention of the business associate, even though it was employee of a vendor who reportedly stole patient information. A statement on the medical center’s web site explains: At Mount Sinai Medical Center, we take our commitment to patient privacy very seriously, and we work diligently to ensure the security of our patients’ confidential information. Regrettably, this notification concerns an incident related to that information. On February 28, 2013, we learned from local law enforcement that an employee of a contracted vendor of the Medical Center may have accessed patient information inappropriately from October 2012 to February 2013. Upon learning this information, we conducted an investigation and began fully cooperating with law enforcement authorities. The suspect has been arrested. Our investigation confirms that the information involved includes patient names, dates of birth, Social Security numbers, and addresses. A second group of information includes patient names, addresses, bank account numbers, and routing numbers. While a patient’s information may have been exposed, it does not mean that it was misused. The incident did not affect any patients’ medical records, medical treatment or Mount Sinai billing accounts. We began mailing letters to affected patients on March 15, 2013. We have also set up a call center with a toll-free help line for all patients who have questions. The phone number is 1-877-282-6407. The call center is staffed weekdays from 9 am until 7 pm eastern time. Also, if you have concerns about this situation and have not received a letter from us by March 29, 2013, please call the help line with your questions. We deeply regret any inconvenience or concern this event may cause. We are in the process of undergoing a comprehensive review of our security policies and practices to help prevent a similar incident from occurring in the future. Thomas L. Davis, Jr. DDS of Oregon reported that 3,269 patients were notified of a breach in February involving EMRs and a desktop computer. Dr. Davis does not appear to have a web site and I can find no press release or substitute notice about the breach by the time of this publication.

OHSU laptop containing patient information stolen from researcher's vacation rental home

KATU reports: Oregon Health and Science University is contacting more than 4,000 patients after a laptop containing some of their personal information was stolen from a vacation rental home in Hawaii last month. Information from 4,022 patients was on the computer, according to OHSU spokesman Jim Newman. The surgeon who had the computer was using it for research purposes, so it was not encrypted. Say what? Because it was being used for research, it wasn’t encrypted?  According to coverage of the breach in the Portland Business Journal: All OHSU laptops are password protected, but encryption is used only on laptops used for patient care. The laptop stolen in Hawaii was used for research and wasn’t encrypted. The surgeon who used the computer received e-mails related to patient care, but believed they would be housed on OHSU’s secure e-mail network. But more recent e-mails are stored on the computer’s hard drive. To prevent this from happening again, OHSU said it has enacted more stringent encryption requirements. The Columbian also covers the breach: Information in those schedules was limited to patient names; OHSU patient medical record numbers; type of surgery; surgery dates, times and locations; patient gender and age; and names of the surgeon and anesthesiologist. OHSU security investigators also determined that a small number of the approximately 5,000 emails contained social security numbers for a total of nine patients. Those patients are being offered free identity theft monitoring. Read more on The Columbian.

OR: OHSU Alerts Patients After Laptop Stolen

Oregon Health & Science University is contacting 1,000 patients after a physician’s laptop was stolen from a car parked at the doctor’s Washington County home. Patient names, treatment dates, short medical treatment summaries and medical record numbers were stored on the computer, said OHSU spokesman Jim Newman in a news release. The computer was password-protected to avoid misuse of the information contained on the computer, officials said. Read more on KPTV.

Victims of W-2 phishing scams (2017 list)

— The list of entities reporting that employee W-2 data was acquired by phishing.– Last year, this site compiled 145 W-2 phishing incidents before I somewhat waved a white flag in terms of trying to keep up, but as I started working on this year’s list, I found even more cases from 2016, bringing the 2016 list to 175 reports. Let’s see how 2017 goes. Expect reports to come in over the next months (not weeks, but months, and perhaps throughout the year). Here’s the list I’ve got so far for 2017, and it will be updated as I become aware of new incidents.  Steve Ragan of Salted Hash has indicated that he will keep track, too, so do check his space also for additional information. As of March 13, Steve estimates 120,000 affected for the 110 incidents we had as of that date. Note: would like to thank the Identity Theft Resource Center and Doug Levin, who both have also been helping find and track these incidents. Dracut Schools [662 (FOIA response)] Tipton County Schools  Odessa School District [“hundreds of employees”] Campbell County Health  [1,400] Marin Software UGI Utilities [1,900] Sunrun [a “a substantial portion” of 4,000 employees] Lexington School District Two (SC) Mercedes Independent School District (TX) [950] eHealthInsurance (eHealth, Inc.) Kuhana Associates Point Coupee Hospital [200] Morton School District (IL) Scotty’s Brewhouse (IN) [4,000] Mitchell Gold + Bob Williams [1,100] Persante Health Care TransPerfect Global Davidson County Schools (NC) Belton Independent School District (TX) [1,700] Argyle School District (TX) Renovate America (CA) Manatee County School District [7,900] Anchor Packaging Distribution International Sky Climber, LLC College of Southern Idaho [2500]  West Michigan Whitecaps [230] Adventist Health Tehachapi Valley [Updated to 253] Verc Enterprises, Inc. Monarch Beverage (IN) Corsicana Independent School District Alton Steel [300] Mohave Community College City of Twinsburg, Ohio [500] Showpay, LLC SouthEast Alaska Regional Health Consortium Land Title Guarantee Company AmTote Intl [350] Sweeney Drywall Finishes Corp. Mercer County Schools (WVa) [1800] Patrick Industries [4,700] Bloomington Public Schools (MN) [1800] NEO Tech Petro 49  Klondex Gold & Silver Mining Frosch International Travel Citizens Memorial Hospital  Driveline Retail Northwestern College (IA) Asbury Communities [3,000] TrustComm, Inc. Verato, Inc. (data were in “encrypted” format) TrueNet Communications [506]  Pacific Biosciences (corrected) Bentley Truck Services Tate Access Floors [7] Accolade, Inc. ABNB Federal Credit Union (got 2015 data, but not requested 2016 data) MBA Consulting Services [2015 data] Goode Compliance International (? ) Vecellio Group Astadia, Inc. Ashland University Maxor National Pharmacy Services Virginian Wesleyan College Amplify Education Black River Falls School District [478] Trenton R-9 School District [260] Barron Area School District [431] American Senior Communities* (IN) [“more than 17,000”] Crotched Mountain Foundation [~1000] Mount Healthy City Schools [600] Meridian Health Services [1200] Viskase Companies, Inc. [590] InterMountain Management, LLC Cayan LEAF Commercial Capital, Inc. Gardiner & Appel (Phishing?) North Carolina Symphony [262] Ellwood Thompson’s Local Market  [360] Civitas Media San Antonio Symphony [250] Abernathy Independent School District The Amalgamated Sugar Company, LLC [2,858] Tab Products Co., LLC Vintage Realty Company (2015 and 2016) Redmond School District [~1000] North Ridgeville Beckett Air [~200]  Independence School District  Wisenbaker Building Services Autoneum North America Inc.  [2,400] Northeast Ohio Regional Sewer District** [~900] MetWest Terra Hospitality Yukon Public Schools Allied Minds, LLC Aero Air Groton Public Schools [1300] MAM Software [81] Tyler Independent School District   Glastonbury Public Schools [1600] Equian LLC (and subsidiaries, Nurse Audit LLC)  Weidenhammer [~180] Alabama State Port Authority [780] Joseph-Beth ProScan Imaging, LLC PCA Skin Ark City School District – USD 470 Berkley Mid-Atlantic Group Dawson BBB Industries, LLC*** Geokinetics ADF International  Dairy Management, Inc ? (sent inquiry as to W-2 phishing) QualiChem, Inc [84] Toscano Clements Taylor [36] Ben Bolt Independent School District [150] Arkansas City USD 470 [“dozens,” but not all] NSC Technologies, LLC City of San Marcos [803] Colorado Nonprofit Development Center Defense Point Security, LLC  SolutionsIQ, Inc. Biomedical Systems Corp. American Tire Distributors J.N. Phillips Company (and subsidiaries Windshield Centers LLC and Strategic Claim Services, Inc.) Palm Bay International  Powhatan County Public Schools [905] Coupa [625] Walton School District [30] Schurman Retail Group Kettle Cuisine [351] Federal Process Corporation (.docx file) Temptronic Corp (subsidiary of inTEST) inMoment, Inc. AmQuip Crane Rental, LLC netPolarity, Inc. Araca Group Mollie Stone’s Markets Ameriflight, LLC Great Falls Holdings Spaulding Youth Center Envelopes Unlimited Sarnova, Inc. TriTech Software Systems Berg, LLC Westminster College (MO) Dutchland Plastics (424) Dental Services Group Solera Holdings CFG Community Bank National Safety Council TIC Gums, Inc. and Specialty Blends, Inc. [got 2015 and 2016 data] LookingGlass Cyber Solutions Inc.  Taconic Biosciences, Inc.  Huckstep Holdings Corp. (d/b/a TechWise) Bostwick Laboratories  Merchant Metals, Inc.  The Grove, Inc. (TGI)  CapTech  Jenner & Block LLP  ABS Associates  Shulman Rogers  Teletrac Navman  GKIC  Biothera Pharmaceuticals  Atlas Container  MGH, Inc.  Neosho County Community College  Atlantic Coast Mortgage, LLC (W-2’s and 1095-C’s)  Clean Advantage and Advantage Waste  AmTote International  Monoflo International  Pro-Vigil  Frost & Sullivan  INSYS Group  Peak Alarm Company  Columbia Association  Medical Depot, Inc.  E.T. Rockville, E.T. Staffing, & E.T. Holdings [360]  Kettle Cuisine [351]  Vectorworks  American Pest (2015 and 2016 data)  Mary T. Inc. (MTI)  San Diego Christian College  Colony American Finance, LLC  TransCen  Calmark Group (2015 data)  Cross Street Partners  IntelePeer Holdings  C.A. Short  Intact Technology  B.C. Ziegler and Company [145]****  Alignstaffing and RehabPlus Staffing Group, Inc.  Toole Design Group  The Connections Therapy Center  Community Assistance Network  National Older Worker Career Center (2015 and 2016 data)  Aisthesis  GetWellNetwork  VT Industries Vertical Bridge*****  DiCentral Corporation Pacific Quest Paratransit Pacific Science Center Quatro Composites (290) NOTES: * Unnamed payroll processor fell for phish. ** Two employees separately fell for the phish and sent out W-2 data. *** Note: this is NOT “the Better Business Bureau” **** Although the file with W-2 information was sent, it was password-protected. ***** Employee had recently received training in recognizing phishing attempts

OHSU pays nearly $3 million over two data breaches in 2013

Lynn Terry has the scoop on what appears to be a new HHS resolution agreement. There’s nothing up on HHS’s site or in my mailbox yet about this one, but I had covered the four breaches mentioned in her report as well as a more recent breach (search OHSU). Oregon Health & Science University has agreed to pay federal authorities $2.7 million for two data breaches in 2013 that involved more than 7,000 patients. OHSU also will enact a “rigorous three-year corrective action plan” as part of a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights, according to a statement released Wednesday. The two breaches occurred within three months of each other. One occurred after a surgeon’s laptop was stolen from a Hawaii vacation rental. The computer, which had information on 4,022 patients, was not encrypted. The other case involved newly minted physicians in residency programs for both plastic surgery and urology, and kidney transplants who used an internet-based storage device, or cloud service, to maintain a spreadsheet of patients. The spreadsheet had information on 3,044 people. Read more on Oregon Live.