Wentworth-Douglass reports insider breach at business associate, Ambucor (UPDATE5)

First it was Carolina Cardiology Consultants disclosing that 2500 of their patients had been affected by a breach at their business associate, Ambucor.  Then it was Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) notifying HHS that 537 of their patients had been affected by Ambucor’s incident. Now it’s Wentworth-Douglass Hospital notifying 775 of their patients of the breach. Fosters reports: Ambucor discovered recently that thumb drives recovered from one of its former employees contained personal information of thousands of patients nationwide, including 775 WDH patients. The personal information did not include Social Security numbers or credit card, insurance, Medicaid/Medicare or other financial information. The personal information may have included patient’s name, date of birth, home address, phone number, medications, race, testing data, patient identification number, medical device information such as the manufacturer, diagnosis, Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s), and the name and address of the practice where the patient was seen. Read more on Fosters. A copy of Ambucor’s notification to Lebanon Cardiology’s patients, provided to DataBreaches.net by WellSpan, indicates that the employee misconduct occurred in March, 2016, but Ambucor did not discover it until July, when according to a statement from Greenville Health System, Ambucor, was informed by law enforcement, who gave them the thumb drives with patient information. In July, when Ambucor reported the incident to HHS, they reported 1,679 patients were affected. So far, we have 3,812 patients for the three entities mentioned in this post, so it’s not clear what the total number really is for this incident. DataBreaches.net has sent an inquiry to Ambucor, and will update this post if more information becomes available. Update: It seems that 4,500 Main Line Health patients were also notified of the breach earlier this month, although I don’t see any notification on HHS at this time. Main Line also reports that the former employee is currently incarcerated.   In addition to Main Line Health, also add the following entities whose patients have also been notified of the Ambucor incident: Stony Brook Internists, University Faculty Practice Corporation (UFPC), whose notice does not indicate the number of patients, but notes that the employee’s incarceration is on unrelated charges;  Lenox Hill Heart and Vascular Institute, whose notice does not indicate the number of patients; Pikeville Medical Center, whose notice in June is no longer available online; and Conemaugh Physician Group Cardiology, whose notice does not indicate the number of patients. As I come across others, I’ll add them to this post. Update 2: Add Berkshire Medical Center (Cardiology Services) to the list. All of their 1,745 patients were notified. Update 3: Add New Mexico Heart Institute, who had 4100 patients to notify. Update 4: Add Cleveland Clinic Akron General, who are notifying 730 patients. Ambucor has not responded to the inquiry sent to them asking for a fuller disclosure as to how many patients, total, have been notified of this incident. Update 5: I was able to locate the Pikeville Medical Center news coverage of the incident. Somewhat surprisingly, it was in their June 3 newsletter and said they had been recently notified. How could that be when Ambucor supposedly didn’t find out about the breach until around July 1 when law enforcement notified them? Perhaps they were notified by law enforcement earlier but did not recover the thumb drives from law enforcement until July?

Insider breaches dominate in Protenus’s November Breach Barometer

As in previous months, Protenus has summarized what kind of month November was for breaches involving health data. And as the November issue of Breach Barometer makes clear, insider/employee incidents outnumbered external attacks in a month where we first learned of 57 incidents – the largest number of monthly reports this year. One of the main explanations for November having so many reports is that clients of a few business associates that had experienced breaches all started submitting notifications to HHS and patients. Of special note, the Ambucor Health Solutions breach – reported by Ambucor to HHS back in July as affecting 1,679 patients – accounted for 11 of the incident reports this month and 16,765 records for the 9 Ambucor-related reports for which we had numbers. Similarly, 4 more clients of EMR4All/RBS reported their incidents in November. Both Ambucor and EMR4All/RBS were insider breaches: the former, a case of insider-wrongdoing, and the latter, a case of insider error. Protenus’s Breach Barometer is particularly helpful to those interested in analyzing breach trends because the HHS public breach tool generally does not accurately reflect the extent to which breaches involve a third party. If you were to rely on HHS’s breach tool, you might think there were only 3 business associate breaches in November, yet our research and analysis indicated that at least 25 incidents involved a third party, and we realize that that’s likely only the tip of a much larger iceberg. While Protenus provides aggregated statistics, readers who are curious may want to know which incidents were included in the November report. The following organizations or entities all had incidents that were included in their November statistics: Aetna Signature Administrators Austin Pulmonary Consultants Bay Sleep Clinic Berkshire Medical Center Best Health Physical Therapy, LLC Biomechanics LLC Briar Hill Management Broward Health: Broward Health Imperial Point Camas Center Clinic, Kalispel Tribe of Indians Carolina Cardiology Consultants (Greenville Health System) Charleston Area Medical Center CHI Franciscan Health Cleveland Clinic Akron General Conemaugh Physician Group Cardiology Consultants in Neurological Surgery, LLP Darlingten Eye Institute of Marin GHI (Emblem Health) Glendale Adventist Harrisonburg OB GYN Associates, P.C. Horizon Blue Cross Blue Shield of New Jersey Indiana Family and Social Services Administration -Indiana Health Coverage Program Irvine Company Kaiser Foundation Health Plan Kaiser Permanente Health Plan – N. Cal Kaiser Permanente Health Plan- S. Cal KinetoRehab Physical Therapy, PLLC La Gloria Pharmacy LCS Westminster Partnership IV, LLP d/b/a Sagewood Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) Lenox Hill Heart and Vascular Institute Lister Healthcare Louisiana Health Cooperative, Inc. in Rehabilitation Luque Chiropractic Main Line Health Managed Health Services Horizon BCBS & UnitedHealth Group New Mexico Heart Institute North Texas Heart Center, P.A OC Gastrocare OptumHealth New Mexico Pikeville Medical Center Pinellas County Board of County Commissioners Primerica Seguin Dermatology Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System Vanderbilt U. Psychological & Counseling Center Vascular Surgical Associates Vein Specialists of Northwest Georgia Vision Care Florida, LLC WADA and USADA Wal-Mart Stores, Inc. Washington Department of Social and Health Services- Aging and Disability Services Watsonville Chiropractic (David W. Christie, D.C.) Wentworth-Douglass Hospital Young Adult Institute, Inc. The following entities or organizations all had some involvement in reported incidents as business associates to the above or as third -parties in reported incidents: Aetna Signature Administrators Ambucor Health Solutions AON Hewitt Briar Hill Management Command Marketing Innovations Darlingten EMR4All/RBS HP Enterprise Services, LLC Marin Medical Practice Concepts, Inc. Unnamed cleaning service Unnamed vendor Unnamed vendor + UPS The majority of incidents included in the barometer can be found on DataBreaches.net by using the search function for the entities’ names.

WDH records tampering trial will take place next year

Jennifer Keefe reports the latest legal development in a patient records breach that involves charges and counter-charges between two doctors, an office worker: It appears there won’t be a trial in the Wentworth-Douglass Hospital records tampering case until well into 2011. According to court documents recently filed at Strafford County Superior Court, a trial is set for June 2011 that is scheduled to last three to five days. The trial will involve plaintiffs Drs. Cheryl Moore and Glenn Littell, who ran the WDH pathology lab until March, and defendant Mary Lemieux, who worked in the pathology lab before being fired three years ago amid a privacy breach involving altered patient records. Moore and Littell sued Lemieux in March, claiming she “inappropriately and unlawfully accessed” patients’ records and altered them in an attempt to “retaliate” against the doctors after she was transferred in June 2006 from the pathology transcription department to the hospital’s transcription department, where she worked until early summer 2007. Lemieux countersued in May, denying the doctors’ claims and saying she lost her livelihood over the doctors’ false accusations. Read more on Foster’s Daily Democrat.

Former WDH employee files countersuit: Says pathologists falsely accused her of tampering with patient records

Adam D. Krauss reports on the latest development in this ongoing case: The former Wentworth-Douglass Hospital employee who two doctors said unlawfully altered patients’ records has filed court papers denying the claim and charging she lost her livelihood over the doctors’ false claims. Mary Lemieux, who worked at WDH for 14 years until being terminated in 2007, was responding to a suit by Drs. Cheryl Moore and Glenn Littell, who ran the hospital’s pathology lab until March. She claims the pathologists’ intentionally interfered with her “business relationship” with WDH, maligned her character and negligently and intentionally inflicted emotional distress by forcing her out of work at WDH and Exeter Hospital. Read more on Fosters.com

AG's Office: 2nd WDH worker in records case acted in scope of her duties

Adam D. Krause continues to follow allegations of a breach that may not actually be a breach involving Wentworth-Douglass Hospital: The Office of the Attorney General has determined there is “insufficient evidence” to investigate a Wentworth-Douglass Hospital transcriptionist who was alleged to have improperly accessed records of hundreds of patients. Jim Boffetti, who heads the AG’s Consumer Protection and Antitrust Bureau, said the employee accessed the records of 662 patients for a total of 900 times between June 2006 and December 2007 but “it looked like she was acting in the scope of her employment when she did this.” Concord attorney Charles Grau, who is representing two former WDH pathologists, had asked Boffetti’s office to determine if the hospital had to report the employee’s access on the basis it constituted a privacy breach. “Our conclusion was that we found there was insufficient basis to support a reasonable suspicion” there were violations of federal or state law requiring disclosure of a privacy breach, Boffetti said Read more on Fosters.com Part of what continues to fascinate me about this case is that it seems that a disgruntled employee (not the one referenced above) can access patient records within the scope of employment and alter them, but there’s no mandate to report it as a privacy breach because there is “no misuse of the information.” Personally, I think accessing and altering patient information to get revenge on your employer is a misuse of patient information, but that’s just my opinion.