HHS web site update reveals another new breach

In its most recent update, HHS added seven reports to its site. Interestingly, we already knew something about six of the incidents via notices on the entities’ web sites or media coverage, which I attribute to HITECH’s new requirements.  Entities realize that they have to disclose and are getting the information out more promptly and visibly.

With respect to previously known breaches, I noted that:

  • The Baylor College of Medicine breach involving a stolen laptop, disclosed by Baylor in July,  reportedly  affected 694 patients. The notice on Baylor’s web site had indicated 1600 patients.
  • Holyoke Medical Center, whose patient records were found at a dump after being improperly disposed of by a business associate, notified HHS that 24,750 patients were affected. Their initial statement had indicated that it appeared that Pioneer Valley Pathology Associates had provided services to between 16,000 and 24,000 patients during this period of time.
  • The burglary at Eastmoreland Surgical Clinic affected 4,328 patients. Hopefully ID Experts will consider simply adding such information to future press releases on behalf of their clients. Certainly, their decision to not disclose the numbers in their press release resulted in this second blog entry instead of it being just a one-entry incident.

The one new (to us) disclosure on HHS’s site is a report by Chattanooga Family Practice Associates, who reported that 1,711 patients had protected health information on a lost portable electronic device. The loss reportedly occurred on July 15.    Checking the entity’s web site, I see the following notice:

On 07/15/2010 we had a potential disclosure of part of a select group of patient’s medical records. This occurred to a secondary backup device called a flash drive being reported lost. It is our opinion that it was most likely accidentally disposed of by our house cleaning staff. The information on this drive was for a specific period of time and included the patient name, date of birth and purpose of the visit. It did not contain any Medicare numbers, Social Security numbers or any other financial or identifying information. The main computer system has not been breached nor can it be breached through this lost device. We have identified the names of the patients involved and a letter has been sent to each patient identified. We have also reviewed our process and made corrective actions to prevent this from occurring again. If you have any questions regarding this potential disclosure, please call our administrator, Laura Watkins at (423) [redacted].

In their opinion?  That kind of reassurance may dissuade people from taking steps to protect themselves.  Could cleaning staff have stolen it?  Could there be some other explanation? When you don’t know what happened, I think it is best to say “Let’s hope for the best, but prepare for the worst.”

About the author: Dissent

Comments are closed.