HHS added another batch of reports to its breach tool last week. Here are the ones I hadn’t known about already from either the media or reports to state attorneys general:
Upper Valley Medical Center,OH,,”15,000″,10/01/2010-03/21/2012,Unauthorized Access/Disclosure,Other,7/3/2012,,
The breach went on for over one year? There doesn’t seem to be any media coverage of this breach, so I’ emailed UVMC last week to inquire and will update this entry when I get a response.
In researching this entry, though, I discovered that UVMC had a second, and more recent, breach involving a missing hard drive.
“Luz Colon, DPM Podiatry”,FL,,”1,137″,3/20/2012,”Theft, Loss”,Laptop,7/3/2012,,
Another one where there was no media coverage that I can find.
Independence Physical Therapy,CT,,925,8/1/2011,Theft,Desktop Computer,7/3/2012,,
The computer was stolen in August 2011 and we’re first learning of this now? I cannot find any archived news coverage of this one and there is nothing on IPT’s web site.
Titus Regional Medical Center,TX,,500, 3/29/2012, Theft,Other,7/3/2012,,
This appears to be TRMC’s second reported breach this year. On May 24th, they posted a notice on their web site that says, in part:
Public Notice 5/24/12 – EMS Laptop and X-Ray Storage Breach
In compliance with ARRA/HITECH provisions of HIPAA, the following is a public notification of lost and/or stolen patient information in two separate unrelated incidents:
On March 28, 2012, a laptop computer owned by Titus Regional Medical Center’s Emergency Medical Services was confirmed lost during a routine patient transportation. The laptop is not believed to have been stolen, rather inadvertently left on the fender of ambulance with subsequent fall and loss during route. The data was encrypted and password protected and the computer may have been damaged and rendered inoperable. There is a possibility that personal data, including name, address and social security number, as well as a limited amount of medical data related to the services provided by the EMS department could have been accessed in the unlikely event the computer was opened, running and undamaged.
Lutheran Community Services Northwest,WA,,756,03/29/2012-03/30/2012,Theft,”Desktop Computer, Other Portable Electronic Device”,7/3/2012,,
In an undated notice on their web site, they explain, in part:
On March 30, 2012, we became aware that there had been a break-in at our Bremerton office. Computers and electronic devices were taken, some of which contained sensitive information. A police report was immediately filed and every effort made to recover the information.
A thorough assessment was conducted to determine what sensitive information may have been compromised. Every effort has been made to contact people whose information may have been affected. A total of 3,040 LCSNW clients, volunteers and staff were sent letters notifying them of the situation.
The kinds of sensitive information involved differed a lot by program, but could include:
- Name, Address, Phone Number or Email
- Date of Birth
- Social Security Number
- Driver’s License or Washington ID Number
- Income or payment information about services received
- Information about client conditions, treatment and/or service information or diagnosis
West Dermatology,CA,,”1,900″,04/21/2012 – 04/22/2012,Theft,Other,7/3/2012,,
I could find no media coverage on this one nor any statement on their web site. Since they’re in California and the breach affected over 500, it’s not clear to me why this isn’t on California’s site.
Physician’s Automated Laboratory,CA,,745,03/23/2012 – 03/26/2012,Theft,Paper,7/3/2012,,
A notice dated May 23rd on their web site says, in part:
On March 26, 2012, we discovered that our Patient Service Center located at 2012 17th Street, Bakersfield California 93301 had been broken into and that, among other things, lab requisition forms which were kept in a locked cabinet were missing from the center. We were able to determine that the missing forms are related to certain laboratory services provided between February 1, 2012 and March 23, 2012. So, if you received services at this location during that timeframe, the confidential information taken may have contained your name, address, phone number, date of birth, insurance information, ordering practitioner’s name and laboratory tests ordered.
The Bakersfield Police Department was notified of the break-in for investigation and possible prosecution of the person(s) responsible. Since then, PAL has taken additional steps to ensure this type of information is more secure, as these documents are no longer kept at PAL patient service centers.
“Volunteer State Health Plan, Inc.“,TN,,”1,102”,03/16/2012-04/20/2012,Loss,Paper,7/3/2012,,
VSHP posted a notice on their site that says, in part:
Damaged Mail Leads to VSHP Information Disclosure
CHATTANOOGA, Tenn. — Volunteer State Health Plan (VSHP) has notified approximately 1,100 of its BlueCare members that some of their protected health information was lost last month when envelopes mailed to a West Tennessee clinic were damaged in shipping through the U.S. Postal Service. No patient addresses or Social Security numbers were among the data.
VSHP, a Medicaid managed care organization, investigated the report immediately and discovered that the damaged mail had been sent to Comprehensive Counseling Network. Each envelope contained a check to pay for medical visits and a list of claims for those visits. The checks were not damaged, but the lists of claims were lost at the post office. The postal service has not found them.
The data contained on the missing lists includes:
* First and last name of member
* BlueCare ID number
* Date of service
* Procedure code
* Claim number
* Total charged
* Amount paid
* Provider name and address
In addition to notifying BlueCare members about the incident, VSHP has implemented a new procedure of sending payments and claims lists in reinforced envelopes. This process will continue until clinics are transitioned to electronic fund transfer, eliminating the need to mail checks.
So there you have it: the HHS breach tool serves a valuable function in alerting us to the occurrence of incidents, but it generally fails to provide us with sufficient information to understand the incidents. I continue to think that HHS should be posting more details about incidents.