HHS updates its breach tool, but still leaves us pretty much in the dark
HHS has added 19 reports to its breach tool. Some of these have been previously covered on this blog, and I’ve linked to the coverage below:
- Texas Health Harris Methodist Hospital Fort Worth/Shred-it
- Iowa Department of Human Services (affected 7,335, a fact we did not previously know)
- San Jose Medical Supply Co. (affected 800, a fact we did not previously know)
- A Harris County,TX breach that affected 21,000 was reported on my companion web site, but it apparently included PHI as well.
- The Sutter Health East Bay Region, Alta Bates Summit Medical Center, Sutter Delta Medical Center, Eden Medical Center/Nelson Family of Companies breach affected 4,479 patients. This is the first reference I’m seeing to the Nelson Family of Companies, which provides staffing/recruitment services to businesses.
- Illinois Department of Healthcare and Familiy Services, Family Health Network
- Long Beach Memorial Medical Center
- The Delta Dental of Pennsylvania/ZDI breach affected 4,718. Or did it? Why did they report this number to HHS when the statement they sent me said that over 14,000 were notified?
- James A. Fosnaugh
Some of the newly added breaches have not been previously noted on this blog:
- Lone Star Circle of Care in Texas reported that 1,955 patients had data on a laptop stolen on or about May 1, 2013. An FAQ on their web site indicates that the laptop was stolen from an employee’s car. The laptop contained personal health information of certain patients who had been hospitalized at an Austin-area health system in 2012 or 2013 and included name, address, date of birth, Social Security number, and primary diagnosis related to the individuals’ or their children’s recent hospitalizations.
- Jacksonville Spine Center in Florida reported that 5,200 patients were affected by an April 25 breach involving paper records. I cannot find any substitute notice on their site or via a Google search at this time.
- Samaritan Regional Health System in Ohio reported that 2,203 had PHI on paper records in a May 29th breach. I can find no notice on their site at this time.
- South Florida Neurology Associates, P.A. in Boca Raton reported that 900 patients had PHI on a laptop stolen sometime between May 25 and May 30. There is no notice on their web site at this time and I can find no copy of any substitute notice.
- Sheet Metal Local 36 Welfare Fund reported that 4,560 were affected by a breach at People Resource Corporation that occurred between August 1, 2012 and July 8, 2013. I can find no notice online concerning this breach at this time, nor even any listing for People Resource Corporation.
- Aflac in Georgia/Alberto Gerardo Vazquez Rivera reported that 679 insured had PHI on a laptop stolen on May 8, 2013.
- Health Net, Inc. in California reported that 8,331 insured members were affected by a paper records breach that occurred between April 1 and May 31, 2013.
- Medtronic, Inc. in Minnesota reported that 2,764 patients had PHI on paper records that were lost between March 28 and March 29. [UPDATE: see additional information here]
- MED-EL Coproration in North Carolina reported that 609 individuals had PHI exposed due to an e-mail error on June 25.
- Northrop Grumman Retiree Health Plan reported that 4,305 enrollees were affected by a paper records breach involving CVS Caremark.
The preceding’s lack of sufficient details demonstrates, yet again, why we should have full and prompt access to the forms entities complete and submit electronically to HHS. As it stands now, we do not have the entities’ descriptions of their breaches.