Jul 042018

Dean Beeby reports:

A privacy breach at CBC/Radio-Canada was larger than initially reported, involving 23,675 employees, former employees, contractors and others, internal documents show.

The corporation said on May 16 — when it first announced the breach — that 20,008 people were affected. That’s the number it reported to the privacy commissioner of Canada.

But the corporation knew by at least May 11 that the actual total was larger, emails obtained under the Access to Information Act show.

A CBC spokesman, Douglas Chow, confirmed the larger number. “We also decided to send letters to incorporated outside contractors whose business information was potentially impacted and in the same spirit of transparency,” he said.

Read more on CBC.

Jul 012018

Associated Dermatology and Skin Cancer Clinic of Helena notified 1,254 patients of a breach of unsecured personal patient protected health information.

On May 26, an Associated Dermatology employee learned that someone had broken into her car and taken a journal she had been keeping for personal use to assist her in her care of Associated Dermatology patients. She reported the incident to Associated Dermatology the same day.

The file contained only the following information: names and ages of patients who saw a physician assistant between September 1, 2017, and May 24, 2018; the reasons and dates of the patients’ visit(s) during that time frame; the referring physician, if any; a brief description of patient’s medical history; and brief notes regarding the visits. Associated Dermatology has no knowledge that the information has been viewed, used, or misused by anyone.

Law enforcement authorities have been notified and are working to locate and safeguard the information. The information did not contain data such as social security numbers, dates of birth, or insurance information that could be used for purposes of identity theft, but Associated Dermatology has advised patients to be aware of this incident so that they can exercise caution and be alert to suspicious activity that could result. For example, a patient could be contacted by someone who has this information and fraudulently misrepresents his or her purpose in an effort to get the patient to share additional personal information which could be used for identity theft or other malicious purposes.

This incident occurred despite strong safeguards Associated Dermatology has established to protect the privacy of its patients’ information.

As a result of this incident, Associated Dermatology is working to further strengthen these safeguards, to address the incident, and to put additional measures in place to minimize the chance that such an incident could occur again. The incident will also be reported to the United States Secretary of the Department of Health and Human Services.For additional information, patients can contact Associated Dermatology’s Privacy Officer Corina Cook at (406) 324-7453 or [email protected].

Please direct all questions to Corina Cook. July 1, 2018

Jun 282018

Alex Brockman reports:

A laptop containing health information on people living in the Northwest Territories was stolen from a vehicle in Ottawa, according to a news release from the territory’s health department.

The laptop held comprehensive health data on patients in the N.W.T. and their health history. The computer was stolen from a locked vehicle in Ottawa on May 9.

The computer’s data wasn’t encrypted, according to the government. But it had a strong login password and there isn’t anything to suggest someone outside the government has actually accessed the data.

Read more on CBC.ca.   Not surprisingly, this was not the health department’s first breach. The fact that we’re hearing the old “strong password” and “no evidence to believe” lines in 2018 instead of, “Okay, this absolutely should not have happened this way and heads are rolling as you read this” is not encouraging.

Jun 262018

ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 870 patients about the theft of a laptop computer that may have exposed some of their health information.

On June 3, 2018, a Michigan Medicine employee’s personal laptop computer was stolen. The theft occurred when the employee’s car was broken into and his bag, which contained the laptop, was stolen. The theft was immediately reported to the local police, and Michigan Medicine was notified on June 4.

The information on the laptop did not include addresses, phone numbers, social security numbers, or credit card, debit card or bank account numbers, but did include some limited health information that was collected for research.

The data stored on the laptop varied based on the research studies, but could have included patient names, birthdates, medical record number, gender, race, diagnosis and other treatment-related information.

The research studies involved were approved by the Institutional Review Board (IRB) at Michigan Medicine. The IRB reviews and approves proposed research studies involving human subjects to assure compliance with rigorous federal research regulatory requirements, including patient confidentiality and other human subject protections.

The IRB approved the collection of limited patient information. However, in violation of the IRB approvals and Michigan Medicine policies, the employee downloaded and stored the research data on his personal laptop.  The laptop was password-protected, but it was not encrypted.

Michigan Medicine policy requires that patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter,” said Jeanne Strickland, Michigan Medicine chief compliance officer.

As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, Michigan Medicine believes the risk of this occurring is low, partly because the data on the electronic device does not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft.

Michigan Medicine continues to educate our entire workforce on the importance of following our patient privacy policies. In response to this incident, educational materials will be improved to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.

As required by Federal law, Michigan Medicine is also notifying the U.S. Department of Health and Human Services Office for Civil Rights.

Affected Michigan Medicine patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.

Source: University of Michigan, Michigan Medicine

Jun 152018

KRIS-TV reports:

Medical records for some patients from CHRISTUS Spohn medical centers in Corpus Christi were among the items stolen from an employee, the organization reported.

According to a press release from CHRISTUS Spohn, the incident happened back on April 16, 2018, when an employee was the victim of a burglary that led to the theft of their personal belongings.

Among those belongings were medical information for “some patients who received services” from CHRISTUS Spohn Hospital Corpus Christi-Memorial and CHRISTUS Spohn Hospital Corpus Christi-Shoreline.

An official confirmed that around 1,800 patients who may have been impacted were being contacted regarding the incident.

Read more on KRIS-TV.