Ho ho how many? Breaches newly disclosed by HHS

Today’s update to HHS’s public breach tool sheds light on some previously reported breaches and over half a dozen new ones:

The armed robbery of a Brigham and Women’s Hospital physician impacted 999 patients.

Newly Revealed:

North Big Horn Hospital in Wyoming reported that 1,607 patients were affected by a breach on October 2nd involving the loss of paper records. So far, I haven’t found any statement on their site or in news media.

The Hearing Zone in Utah reported that 623 patients had PHI on a laptop that was stolen on October 8th. So far, I haven’t found any additional information on this breach.

The Florida Department of Health reported that 2,477 patients were affected by a breach on August 16th involving email. So far, I haven’t found any additional information on this breach.

ReachOut Home Care in Kentucky reported that 4,500 patients had PHI on a laptop that was stolen on October 9th. Their statement from their web site:

ReachOut Home Care customers in Texas notified of security breach

Unencrypted computer stolen from office facility contained patient names and Medicare identification numbers

Richardson, TX – Dec. 9, 2014 – In October, at the offices of ReachOut Home Care in Richardson an unencrypted laptop computer was stolen. The computer contained the names, claims data and, in some cases, Medicare identification numbers of approximately 5,000 ReachOut Home Care customers who live in the Dallas/Fort Worth area.

At this time, ReachOut Home Care has no reason to believe the information has been used inappropriately. ReachOut Home Care is in the process of notifying all of its customers whose information was on the computer and will provide individuals whose Medicare identification number was included free access to a credit-monitoring service that can help them protect against potential misuse of their information. We are strongly encouraging these ReachOut Home Care customers to enroll for the free service.

While ReachOut Home Care has policies and procedures in place to maintain the security of its members’ information, we are taking additional steps as a result of this incident. These steps include a comprehensive review of our technical security procedures with ReachOut Home Care and an inventory and review of all ReachOut Home Care equipment that maintains protected health information to ensure that all equipment has been encrypted.

ReachOut Home Care customers who have any questions about this may contact ReachOut Home Care by phone at 1-800-240-3294, from 9 a.m. to 5 p.m. Central Time, Monday through Friday. Any ReachOut Home Care customer who believes their information is being used by another party is urged to contact ReachOut Home Care so that we can work with the ReachOut Home Care customer and law enforcement officials to promptly investigate the matter.

District Medical Group in Arizona reported that 616 patients had PHI involved in a breach that occurred on March 1, 2014. A statement on their web site explains:

[…]

On October 24, 2014, we became aware that patient information was made potentially accessible on the Internet. We immediately began an investigation and learned that an employee used a thumb drive while working at home that contained patient billing information. While working from home, the employee connected the thumb drive to the home network, and a security vulnerability made the contents of the thumb drive accessible from the Internet. While connected, the documents and information on the drive could be located through a search engine, such as Google.  The thumb drive included patients’ names, dates of service, names of department where the patients were treated, refund amounts, and in some instances social security numbers. Credit card and banking information were not included on the thumb drive.

After we found out about this incident, we promptly took steps to remove the information from the Internet, including working to ensure the documents are no longer available through a search engine.

While we have no reason to believe that patient information has been used in any way, out of an abundance of caution, we began sending letters to affected patients on December 12, 2014, and have established a dedicated call center to answer any questions they may have.  If you believe you are affected but do not receive a letter by January 5, please call 1-888-266-9280, Monday through Friday from 7:00 AM to 7:00 PM Mountain Time.

We deeply regret any inconvenience it may cause our patients.  To help prevent something like this from happening in the future, we have taken a number of actions, including providing education to the involved employee and re-educating all employees regarding the protection of sensitive information.  In addition DMG is reviewing and updating pertinent policies and procedures regarding data privacy and security.

St. Mary Mercy Hospital in Michigan reported that 1,488 patients had PHI involved in a breach involving email that occurred on December 4. I could find no details on their site, however or any media reports.

Walgreen Co. reported that 160,000 patients had PHI involved in an August 1st – November 6th breach involving paper records.  I was unable to find any coverage of this, but this could be big, as Walgreen has had problems before with paper records, and was even fined in the past. This is the fifth breach involving Walgreens to show up on HHS’s public breach tool since its inception in September 2009.

About the author: Dissent