Five newly revealed breaches on HHS's web site

With its most recent update, the HHS breach tool site added nine breach reports. We knew about some of them already (the Oklahoma City VA incident, the Triple-Salud breach in Puerto Rico that had been reported by the Puerto Rico Dept. of Health, and the University of Tennessee Medical Center incident), but some of them had not been in the media or previously reported on this blog:

Memorial Hospital of Gardena (California) reported that a breach involving “Unauthorized Access/Disclosure” of paper records on October 14 affected 771 patients. No statement appears on the hospital’s web site at the time of this posting, nor can I find any media coverage via a Google search.

The Albert Einstein Healthcare Network in Pennsylvania reported that 613 patients had protected health information on a desktop computer that was stolen on October 21. No statement appears on the hospital’s web site at the time of this posting, nor can I find any media coverage via a Google search.

Kings County Hospital Center (Brooklyn, NY) reported that 542 patients had PHI on a desktop computer that was stolen on August 22. The incident was posted to HHS’s site on December 10, raising questions in my mind as to whether there was a significant delay in reporting the breach, and if so, why. No statement appears on the hospital’s web site at the time of this posting, nor can I find any media coverage via a Google search.

The Newark Beth Israel Medical Center in New Jersey reported that 1,744 patients were affected by a breach involving Professional Transcription Company, Inc. on or about January 1, 2010. On its web site, the hospital posted a notice:

On September 24, 2010, we discovered that Professional Transcription Company (“PTC”) (a company that assists us in transcribing dictated physician reports) posted clinical reports on a website portal of PTC. This website contained a clinical report regarding your care at our Hospital, which may have included your full name, medical record number, hospital account number, physician name, date of birth, diagnosis and other clinical information about you in the form of an operative report, a discharge summary or physician consultation report. The website did not include your address, social security number, financial information or other identifiable information about you.

PTC believes that your information may have been posted on the website for up to ten months, although we have no information to indicate that your information was actually viewed by any unauthorized individuals. PTC has provided us with assurances that PTC has removed your information from the website.

We have been following-up with PTC regarding this incident. We have demanded that PTC complete a thorough investigation of how and when this incident occurred. PTC has told us that the company is performing a complete security assessment of their computer systems in order to identify and implement measures necessary to avoid similar incidents in the future.

We are sending letters to those patients whose information was included on the website and for whom we have addresses. Although no patient financial information was included, if a patient becomes aware of any suspicious activity, he/she should report it immediately to his/her financial institution and/or the authorities. If a patient has any questions regarding this incident, please call us at (732) 557-3949 (phone lines staffed Monday through Friday, 9:00 a.m. to 5 p.m.) or email us at [email protected]

The Hospital considers the security of patient information to be of the utmost importance. For this reason, we will continue to uphold our commitment to protecting your personal information.

This is the second incident involving the hospital this year. In both cases, the breach involved a contractor or business associate of the Saint Barnabas Health System.

Ochsner Health System in Louisiana reported that H.E.L.P. Financial Corporation had a breach affecting 9,475 patients’ protected health information. The breach occurred on or about September 27. A notice posted to Ochsner’s web site on December 8 states:

On October 4, 2010, Ochsner Health System was notified by some of our patients that letters sent out by the HELP Financial Corporation (765 Wing Street, Plymouth, MI 48170) on behalf of Ochsner contained incorrect patient information. These patients indicated the name, medical record number, account number, and account balance on the letter did not match the records for the person to whom the letter was mailed. Ochsner has a contract with HELP to assist patients with payment arrangements for their outstanding hospital and/or clinic account balances.

Ochsner’s investigation revealed that the mistake was the result of a programming error at HELP Financial Corporation. HELP has identified how the problem occurred and has assured Ochsner that the problem has been corrected. HELP has also adjusted their procedures to ensure that another programming error does not occur. These changes include re-testing of programming changes, strengthening of their quality control procedures, and adding an additional layer of inspections to the patient letters.

This error did not affect any patients’ Ochsner account balance, financial records, and/or medical record. Medical information and social security numbers were not disclosed as a result of HELP’s error. In addition, no patient is able to access another patient’s medical records or financial records using the incorrect information on the letters they received.

At Ochsner, ensuring the privacy and confidentiality of our patients is our top priority. We deeply regret this occurrence and any inconvenience it may have caused. The protection of our patients’ private information is important to Ochsner Health System, and we are committed to maintaining and improving the security of our patients’ personal and financial information.

Any Ochsner patient affected by this error will receive a notification letter from Ochsner. Ochsner urges any patients with questions or concerns regarding this notification or the letter they receive to please contact Ochsner Health System at 1-877-356-1663.

For additional information, contact Stafford Scott, Senior Public Relations Specialist, at 504-842-9143.

About the author: Dissent