Dec 132017

Joanne Francis reports:

After a library book was returned to Nipawin Public Library, with records containing personal health information tucked into it’s pages, a library employee contacted Kelsey Trail Health Authority (KTHA). An employee from Nipawin Hospital retrieved the records of approximately 19 patients.

Investigating it further, KTHA determined that a surgical assistant who was not an employee of KTHA but works as a physician with practicing privileges, Dr. A Lawani, had borrowed and returned the book to the library. KTHA reported the matter to the Office of Saskatchewan Information and Privacy Commission (OIP).

Read more on Nipawin News.

Dec 132017

Their press release:

December 12 – Franciscan Physician Network of Illinois (FPN Illinois) and  Specialty Physicians of Illinois, LLC (formerly known as Wellgroup Health Partners, LLC, “SPI”) are notifying patients of a privacy breach.

On November 21, 2017, it was confirmed that a limited number of boxes that contained 22,000 patient payment records could not be located in a shared record storage facility located in Chicago Heights, Illinois. The boxes contained records from 2010 and 2015-17.

After an earlier routine records request, records personnel searched for the requested materials and could not locate them which triggered a further inventory audit that discovered some of the boxes, but a total of 40 boxes of payment records could not be located.

While the continuing investigation has not revealed any evidence of foul play, officials have taken the added step of notifying law enforcement as a further precaution.

“We value patient privacy and deeply regret that this incident occurred,” said Craig Miller, SPI executive director. “We are conducting a thorough investigation to identify additional measures we can take to prevent similar incidents in the future,” he said. Claude Foreit , vice president of  Franciscan Physician Network, stated, “Steps have been taken to improve safeguards for payment records, including bolstering physical security, updating our tracking system for paper records, and retraining employees responsible for handling these records.”

The affected records only include information relating to payments that were made in person either in the office at the time of service or in person at an FPN Illinois or SPI facility. Of those stored transactions, it was determined that payment records such as patient receipts, credit card receipts, and back-office accounting reconciliations were included in the boxes. The information included patient name, address, payment date, payment amount, payment method, office location and the last four digits of patient credit card numbers. No full credit card number was compromised in the incident. For a small subset of individuals who paid with a check, the records may contain the patient’s routing number, bank account number and social security number.

The payment records from 2010 may have also included patient date of birth, account number assigned by the facility, insurance ID number, diagnosis, type of visit, procedure code, provider name and address, dates of service and description of services performed.

Impacted individuals have been notified by mail and will be offered two years of identity theft protection services at no cost. Patients affected will also be encouraged to monitor their financial accounts, credit history, and Explanation of Benefits statements as extra precautions.

A dedicated hotline, (833) 295-7812, has been established to take patient questions related to this incident.


Dec 052017

The press release below from Mercy Health/Love County Hospital is described as a supplement to an incident that they – and we – first reported in July. In September, the entity notified HHS that they had notified 13,004 patients, a notification that they reference below as a precautionary measure. I’m not sure why they needed yet another press release about this incident unless they had failed to notify everyone as required by HITECH and wanted to ensure that they reached everyone with mitigation offer, etc. 

Dec. 5 – Mercy Health/Love County Hospital and Clinic (Love County Hospital) discovered a theft of medical records which may have affected patients receiving services from this facility. Protecting privacy and security of patient health information is very important to Love County Hospital. This news release is being issued to supplement a notice about this incident previously issued in Love County, Oklahoma.

On June 23, 2017, Love County Hospital learned that ten medical records were stolen from one of its storage units. The medical records contained medical information, names, addresses, dates of births, social security numbers and driver’s license numbers. The ten records were stolen by a former employee and used to obtain fraudulent credit cards. The matter has been investigated by multiple law enforcement agencies and Love County Hospital has been cooperating with their investigation. Upon discovering the incident, Love County Hospital took the steps necessary to address the matter, including immediate measures to enhance security of the storage units and to prevent similar incidents from happening in the future.

While only ten medical records appeared to be stolen, all individuals whose medical records were in the storage units were notified of this incident and resources were made available to assist them with protecting their information. As a precaution, affected individuals should carefully monitor their credit reports for any unauthorized activity in the upcoming months. To help protect from any potential negative consequences from this incident, all affected individuals are offered credit monitoring and identity protection services free of charge for 12 months through AllClear ID.

Love County Hospital has established a dedicated call center to answer any questions about the incident. If you have any questions or would like to learn additional information, please call 1-855-742-6046. The call center is available to answer questions Monday through Saturday, between 8:00 a.m. and 8:00 p.m. Central Time. You may also submit any questions about this incident by mail directed to: Privacy Officer, Mercy, 14528 South Outer Forty Drive, Suite 100, Office 1036, Chesterfield, MO 63017.

SOURCE: Mercy Health

Dec 032017

Paul Muschick and Emily Opilo report on one of those data protection fails that sometimes happen when a practice closes. And once again, we find no one stepping up to admit responsibility for the improper disposal of patient records with personally identifiable information and sensitive protected health information.

In this case, the records appear to come from Women’s Health Consultants, “a now-closed practice that operated at 1611 Pond Road in South Whitehall Township and 5325 Northgate Drive in Hanover Township, Northampton County.”

Read more on This is exactly the kind of case I wish HHS/OCR would pursue for enforcement to send a message that it will cost you dearly if you don’t dispose of records securely. It may be that a contractor hired did something wrong or in error. It may be the former administrator did something wrong or in error. At this point, we don’t know.

But someone did something and there needs to be an investigation and accountability.

Dec 012017

Will Houston reports:

Sensitive personal information — including social security numbers and bank account information — for several former and current Humboldt County employees, including some of their dependents, were found in boxes of missing county records that suspiciously turned up in Trinity County, according to a recently completed county review.

When asked by the Times-Standard to provide the number of county employees and number of dependents whose information was contained in these compromised records, county Administrative Analyst Sean Quincey said today the county is focusing on the people impacted by this incident and making sure they obtain services to protect themselves.

Read more on Eureka Times-Standard.