Five breaches newly disclosed by HHS's breach tool
On Friday, HHS added 14 new incident reports to its breach tool. Half of them are organizations affected by the ADPI breach, and I’ve added their numbers to the list I’ve been keeping of affected organizations and number notified of that incident.
Another breach HHS added today was one already covered on this blog. That left five incidents we didn’t already know about:
Coastal Behavioral Healthcare, Inc. in Florida reported that 4,907 patients were notified of the theft of paper records back on April 11, 2011. A statement dated December 12 on Coastal’s web site says, in part:
Coastal Behavioral Healthcare, Inc. (“Coastal”) became aware of a breach of patient information on October 10, 2012 when a law enforcement officer contacted Coastal to report discovery of a list, dated April 2011, of approximately 136 Coastal patient names and identifying information found in a vehicle during a traffic stop.
Coastal has been conducting an internal investigation to determine how this information may have illegally been removed from Coastal premises and is cooperating fully with law enforcement in the prosecution of the individuals who possessed the information. As part of our investigation, we have determined that it is possible that additional patients may have been affected; therefore, to protect our patients we are notifying all patients whose information we believe could have been compromised.
James M. McGee, D.M.D., P.C. in Stone Mountain, Georgia reported that 1,306 dental patients were notified of a September 19, 2012 incident involving the theft of paper records. There is no statement on his web site that I can find and no media coverage that I can find at this time.
Robbins Eye Center in Bridgeport, Connecticut reported that 1,749 patients were notified after an October 7 incident involving theft of data (possibly theft of the computer itself?). There is no notice on their web site at this time, and I can find no media coverage or substitute notice.
Vidant Pungo Hospital in Belhaven, North Carolina notified 1,100 patients after an October 4 incident involving the improper disposal of paper records. I was able to find a breach notice linked from their home page. Of note, they report:
Specifically, the paper jackets that held one or more old radiology films were improperly discarded with office trash, picked up by a sanitation company, and disposed of in a landfill. The information contained on the paper jacket was limited to name, address, date of birth, age, sex, race and the date and name of the radiology procedure prior to May of 2012. The radiology films themselves were not disclosed, nor was any financial information.
Brigham and Women’s Hospital in Boston notified 615 patients after an October 16th incident. There is no notice on their web site at this time. Nor does there appear to have been any press release issued. Interpreting HHS’s “Theft, Desktop Computer” is a … well… it’s a crapshoot. It could be a computer was stolen or it could be that an employee stole data from from the desktop computer. Have I mentioned how I wish HHS would change their reporting form to make this clearer in the breach tool?