Follow-up on the Gulf Coast Health Care Services breach

Back on November 10, I noted that HHS’s breach tool had added an entry for Gulf Coast Health Care Services:

Gulf Coast Health Care Services  in Florida suffered a network compromise on August 17 that reportedly affected 13,000 patients. The incident was reported to HHS as “Theft, UnauthorizedAccess/Disclosure, Hacking/IT Incident”,Network Server.

I commented at the time, ” I really wish HHS would refine their response categories.” After finding out more about the breach, I’m even more convinced that we would all benefit if HHS refined its reporting form.

Based on my interview with Craig Brimm, Privacy Officer for the firm,  this was a messy insider breach that actually started in June 2012 (not August 17, as indicated on HHS’s breach tool)  after a psychiatrist left their practice and started calling patients to recruit them for her new practice.  It is not clear whether the psychiatrist took any patient contact information with her, but the firm later discovered that on June 29, their receptionist accessed patient databases for both of the firm’s locations and started downloading patient information.   Later investigation revealed that the same receptionist downloaded information on other occasions in August and September.   During the investigation, evidence was uncovered that  the receptionist had been in contact with both the psychiatrist and a nurse practitioner who had also left the practice. Gulf Coast believes that the receptionist supplied these two former employers with patient contact information.

Gulf Coast first discovered the breach on September 26 when patients alerted them that they were receiving unsolicited phone calls recruiting them as patients. The firm also started receiving faxed requests for the patients’ records.

The matter was referred to law enforcement on September 28.

According to Brimm, the receptionist had downloaded approximately 13,000 patients’ name, address, phone number, and date of birth.

Brimm sent PHIprivacy.net the following statement/substitute notice:

Gulf Coast Health Care Services Notice Concerning Patient Privacy Breach

11-16-2012

On September 26, Gulf Coast Health Care Services Inc. discovered that an employee had, without authorization or legitimate purpose, accessed and downloaded limited information on our patients. Forensic investigation revealed that the unauthorized access occurred on five occasions between June 29, 2012 and September 20, 2012.

The types of information accessed included patients’ names, addresses, dates of birth, and phone numbers for all patients seen in this office since 1992. The employee did not access any medical information, Social Security numbers or financial information. We believe that the data were stolen and provided to other practitioners who have used our patient contact information to try to recruit patients for their own practices. Because of the nature of this breach, we do not believe that our patients are at any risk of ID theft.

On September 28, the matter was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement. The incident was also reported to the U.S. Department of Health and Human Services Office of Civil Rights in compliance with federal law.  The breach remains under active investigation by all agencies that were notified.

Gulf Coast Health Care Services deeply regrets any distress patients may have experienced due to unsolicited phone calls from other practices. We have been working with security experts to further limit access to our patient databases, and assure patients that we care about their privacy.

If you have any questions or concerns or wish to report unsolicited contact from other practitioners, please call D. Craig Brimm, Privacy Officer at 941-343-3033 or e-mail [email protected]

Would you have guessed that this was an insider breach of this kind from HHS’s breach tool entry? Even though “unauthorized access” was included in their list of possibilities, would your first thought have been insider breach or would it have been a hack or theft?

I’m not sure how we can persuade HHS to refine their reporting tool, but having fuller information would sure be helpful.

About the author: Dissent

Comments are closed.