HHS tool reveals three more breaches
Today’s update of HHS’s breach tool reveals three more breaches not previously reported on this blog:
Sierra Plastic Surgery in Nevada was hacked or had a network compromise between August 19, 2011 and September 20, 2011, but are apparently just reporting it to HHS now – unless HHS mistyped the year of the incident twice. The incident affected 800, and I can’t find any notice on Sierra’s web site or anywhere on the web or in news sources. Nor is it clear whether the web site was hacked, where potential patients enter some personal information, or if their office server was hacked. [Update: See blog entry of Nov. 27 with details on the above breach.]
Valley Plastic Surgery, P.C. in Virginia reported 4,873 patients were affected by an electronic device stolen on July 15. Again, I can find no web site or notification describing this incident.
Colon & Digestive Health Specialists in Arizona reported a breach involving a vendor, Ecco Health, LLC that affected 5,713 patients. The breach involved a lost flash drive and occurred on July 16. I was able to locate a notice that had been linked from their home page. The letter, dated August 30, explains:
In order to better serve our patients and to meet new federal electronic health record regulations, we are in the process of converting prior patient records into a computerized database. We contracted with a well-known electronic medical record consulting firm to assist us in that large and labor-intensive endeavor. As part of that process, the consulting firm mailed a flash drive containing these computerized records to our office. Unfortunately, when the envelope was received by Colon & Digestive Health Specialists, it was empty.[…]
Please note that we have no indication that the flash drive was stolen or intentionally removed from its envelope. Rather, it is believed that the envelope was torn when it was sent through the United States’ Postal Service sorting machine, causing the envelope’s contents to fall out while the envelope was en route to our office.
The flash drive contained both patient electronic medical and billing records, including protected health information, names, social security numbers, dates of birth, addresses, telephone numbers, account numbers, and diagnoses. The consulting firm has informed us that this information was likely password-protected such that it would be difficult to access the data without significant computer expertise.
“Likely password-protected?” They don’t know for sure? That’s not good.