Dec 142018

It seems Contra Costa Health Plan discovered that a contractor that they had hired and who had access to EHR beginning on December 1, 2014 had used a falsified identity to get the contractor position. The position involved access to EHR as part of the contractor’s functions relating to utilization management.

In a letter to those affected, Frank Lee, J.D., Director of Compliance and Government Relations, writes that CCHP has no indication that the contractor misused the information that she accessed, but under the circumstances, they are notifying everyone whose records she might have accessed.  The number of patients is not indicated in CCHP’s sample notification letter, which is reproduced below. The incident is not yet up on HHS’s breach tool, although I imagine we will see it there eventually.


Dec 142018

Hilary Bird reports:

An N.W.T man says he found hundreds of confidential medical records at the Fort Simpson dump.

The documents contain detailed information about patients’ mental health and history of drug use, including applications to addictions treatment facilities, progress reports from those facilities, and detailed notes from one-on-one counselling sessions.

The documents, many of which were on N.W.T. government letterhead, also included social insurance, treaty and health card numbers.


Dec 132018

One of the newer incidents appearing on HHS’s public breach tool this week is a report from Mind & Motion, LLC in Georgia.  Mind & Motion offers various types of therapeutic modalities. 

On September 30th, 2018,  they discovered that their server had been attacked with ransomware.

In a notification to patients, they write:

We have learned that your personal information potentially including: name, address, birthday, gender, medical history, social security number, medical diagnosis, insurance information, and medical records may have been compromised.

Ouch. It’s a great notification letter in terms of transparency, though, as it also details findings by the external consultants they brought in to assist and the steps they are taking to prevent a similar incident in the future. I’m sure some readers will pick up on all the past detritus from attacks and wonder why nothing got detected or prevented sooner, but it is what it is and it sounds like they have taken serious steps to improve their data security. I wish them well.

According to their report to HHS, 16,000 patients have been notified.

You can read their entire web site notice, below:


Dec 122018

Michael Mayer of Faruki writes:

An Ohio federal district court recently handed down a ruling that will make companies storing client data breathe a sigh of relief.  In Williams-Diggins v. Mercy Health, Case No. 3:16-cv-1938 (N.D. Ohio), a patient sued a health system because of deficient patient information software.  (The defendant-health system certified that it subsequently completed updates and additional measures to address the issues with its software.)  The patient sought a nationwide class action lawsuit to pursue various claims, including breach of contract and violation of the Ohio Consumer Sales Protection Act.  The Court dismissed the lawsuit for lack of standing.

Read more on Faruki.  

Dec 122018

Ragas Clan reports:

Darryl Arnold would have unplugged his fax machine months ago if he didn’t need it for work.

That’s because the Saskatchewan Health Authority keeps faxing him confidential patient information, most recently a five-page catheterization report that included a patient’s personal information, medical history and treatment recommendations.

According to the provincial privacy czar, the business Arnold co-owns — Kelly’s Computer Works in North Battleford — has received faxes of confidential medical records on at least four occasions over the last two years, most recently on March 12.


“It is the responsibility of the SHA to get this issue addressed once and for all. It cannot expect a private business to continue to clean up its errors,” Kruzeniski said in the report, which notes that the webmail issues had not previously been disclosed.

Read more on WSOE.