HHS updates breach tool, Part 1: many older incidents newly added
Okay, so HHS decided to give me a migraine by adding no less than 37 breach incidents to its public breach tool today. I suspect, but cannot be certain, that my repeated inquiries to them about breach reports not showing up in a timely fashion – the last such inquiry a few days ago – may have contributed to today’s massive update. Interestingly, a number of the entries refer to breaches well over a year old. Have they been sitting on these reports all this time? And if so, why?
Let’s start with the breaches I knew about already:
- In January 2013, Lee D. Pollan, DMD, PC notified NYS that a missing, and probably stolen, laptop contained unencrypted PHI on 13,806 former patients. That incident was reported to HHS as affecting 19,178 patients.
- The Feinstein Institute for Medical Research breach involving a laptop stolen from an employee’s car was reported on this blog in September 2012, but now first shows up on HHS’s breach tool.
- The Litton & Giddings Radiological Associates breach involving its janitorial service sending billing records handled by PST Services, Inc. for recycling instead of shredding was reported on this blog in October 2012. It now appears on HHS’s list and indicates that 13,074 patients were affected.
- The Washington University School of Medicine (Missouri) breach involving a laptop stolen from a lecturer in Argentina was reported on this blog in January 2013. It now appears on HHS’s breach list with a notation that 1,105 patients were affected.
- The El Centro Regional Medical Center breach involving records that went missing after they were turned over to an unnamed vendor for digitization and destruction was reported on this blog in May 2013. It, too, now appears on HHS’s breach list, and we now learn that the vendor was Digital Archive Management and that 501 patients were affected.
- The St. Elizabeth’s Medical Center (Massachusetts) breach involving paper records first reported in February 2012 on this blog and updated in April 2012 has now been added to the breach list.
- The Carolinas Medical Center – Randolph breach involving an e-mail hack that was reported on this blog in December 2012 has been added to the list.
- The Volunteer State Health Plan breach added to their site appears to be a duplicate of a previous entry that had already been noted on this site. Similarly, the Vidant Pungo Hospital breach added to their breach list today also appears to be a duplicate of an earlier entry, as reported previously on this blog.
- The Jackson Health System breach involving a volunteer stealing/copying PHI on a smartphone was reported on this blog in December 2012.
- Children’s Hospital Boston reported 2,159,patients had PHI on a laptop stolen on March 25, 2012. I suspect that there’s a typo in HHS’s entry and that this is the May 2012 incident previously reported.
Not all the additions were older breaches. Some of the more current ones that we already knew about include:
- The New Mexico Oncology Hematology Consultants breach involving a laptop stolen from an employee’s office has been added to the list. It reportedly affected 12,354 patients.
- The South Carolina Health Insurance Pool (SCHIP) breach involving a laptop stolen from a De Loach & Williamson employee’s car has been added to the list.
- The L.A. Gay & Lesbian Center hack resulted in notification of 59,000.
In the next post, I’ll discuss the newly added breaches we didn’t know about already.