Breach notification in three easy mailings? (NOT)
Dr. Cathrine Steinborn, DDS of Santa Clara, California has been notifying patients and regulatory agencies of a recent breach. It appears she has sent three notifications to her patients because her first attempts at notification did not seem to provide them with enough information or support.
From the public notice (with links to the files added by this blogger):
SANTA CLARA, CA – February 20, 2015 – Dr. Cathrine Steinborn, DDS, is providing notice of a recent office theft which may affect the security of patient and responsible party personal and protected health information.
On January 5, 2015, Dr. Steinborn’s office was burglarized and a server containing patient and responsible party information was stolen. The burglary was immediately reported to Santa Clara Police Department. Since the burglary, Dr. Steinborn’s office has increased physical security and surveillance of the premises. The office has also encrypted patient and responsible party information, and enhanced physical security of the server on which this information is stored. Dr. Steinborn provided notice of this incident to affected individuals on January 9, 2015, January 13, 2015, and February 18, 2015. Dr. Steinborn’s investigation into this incident is ongoing. Information that may be contained in each valid record stored on the server includes name, address, date of birth, telephone number, Social Security number, dental and/or medical insurance information, health background information, treatment information, and billing information. The server did not contain bank account, driver’s license, or credit/debit card information.
Although unaware of any actual or attempted misuse of the information stored on the server, Dr. Steinborn is offering each affected individual access to one free year of credit monitoring and identity restoration services. In addition to notifying affected patients and responsible parties about this incident, Dr. Steinborn is providing notice of this incident to certain federal and state regulators.
From comparison of the Jan. 9, Jan. 13, and February 18th letters, it looks like Dr. Steinborn got a quick lesson in how not to write a breach notification. Her first letter merely said “However, your personal identity and insurance information is on the server and could be compromised,” without being specific as to what data types were involved. The letter was also silent on whether financial or credit card information was on the server, and did not tell patients how data were going to be better protected going forward. On January 13, having apparently received a number of concerned phone calls and/or complaints, Dr. Steinborn sent a letter addressing the questions she had been receiving and correcting the phone number she had given for Experian.
On February 18, Dr. Steinborn offered patients credit monitoring and restoration services through Experian ProtectMyID (the 3-bureau monitoring plan, it seems). The letter is also more specific about security going forward.
Eventually, it seems that Dr. Steinborn provided patients with the information and services they needed and wanted, but it’s a shame that she didn’t get it right on her first attempt, as I can envision patients becoming agitated or angry when given insufficient information and support.