Latest update to HHS breach tool discloses previously unknown breaches

HHS has another big update to their public-facing breach tool. While many of the incidents they have added have already been noted on this blog, there are some ones that have not been mentioned here previously.

Here are the incidents we did know about already (links are to previous coverage of the incident on PHIprivacy.net):

Turning to the breaches we didn’t know about already:

  • McBroom Clinic in Texas reported that a January 2014 breach involving TMA Practice Management Group affected 2,260 patients. I was able to locate a copy of their substitute notice, published in the Fayette County Record on March 18, 2014:

 Attention Patients of McBroom Clinic:

An incident has occurred that may involve your personal information. In early January 2014, the McBroom Clinic asked a company to help us with a practice audit. We gave this vendor access to limited patient information in accordance with HIPAA and Texas requirements.

This information included insurance coverage and payment data, some of which was sent to the vendor on a portable USB flash drive. The vendor received the information on January 9, 2014, but did not see the USB flash drive in the package and discarded it with the packaging in line with their disposal procedures. We learned of this inadvertent disposal on January 17, 2014, when the vendor asked for another copy of our information. When we asked, the vendor said they had not seen or accessed the USB flash drive.

As soon as we learned the vendor had disposed of the USB flash drive, we conducted an investigation and determined that your information could be accessed if the USB flash drive were found by anyone. Information for a limited number of patients was contained on the USB flash drive. We know the group of patients from which we prepared the information, but we do not know if your information was actually on the USB flash drive. We also do not know if the information on the USB flash drive has been accessed or compromised.

Because the USB flash drive was thrown away, we believe the risk that someone accessed your personal information is low. But to be safe, we are notifying you of the possible breach of your information.
The privacy and safety of your information is important to us.

We will encrypt transmission of electronic data from now on to protect against future security breaches. Please monitor your bank accounts and credit card information to safeguard against the unauthorized use of your information. If you are among the group of patients whose information may have been copied to the USB flash drive, you will receive individual notice from the McBroom Clinic. This notice will include information from AllClear ID, the company we have asked to help with identity theft protection for you.

Please call us at (877)313-1394 if you have any questions.

Thank you for your patience and understanding.

McBroom Clinic,
Dr. Borgstedte, Dr. Blackwell,
Dr. McBroom, and Staff

  • QBE Holdings, Inc. was also affected by the StayWell Health Management breach noted previously on this blog. They report that 1,746 were affected by the incident.
  • Blue Cross and Blue Shield of Kansas City  reported that 2,546 were affected by a breach on August 16, 2013 that involved “Unauthorized Access/Disclosure,Other.” I could find no information on their web site about this incident.
  • NOVA Chiropractic & Rehab Center in Virginia reported that 5,534 patients were affected by a January 30th breach. A HIPAA notice dated March 25, linked from their homepage says:

We take patient privacy very seriously, and it is important to us that you are made aware of a potential privacy issue that was discovered on January 30, 2014. An unencrypted thumb drive that was used to transfer older electronic records was misfiled and presumed to have been put back into regular office circulation or was inadvertently wiped clean or even disposed of. In most cases the information contained in the record was your name, address, and the health records from the office. In some cases social security numbers, date of birth, diagnosis, insurance claim forms and payment information including expired credit card information were also included. Please rest assured that your health information is intact and our office still has your important records. The likelihood that there indeed was a breach of information is extremely low. If you have concern about this issues please call the toll-free numbers of any of the three major credit bureaus (below) to place a fraud alert on your credit report. This can help prevent an identity thief from opening additional accounts in your name. All three bureaus will provide you a copy of your credit report free of charge. When you receive your credit report, examine it closely and look for signs of fraud, such as credit accounts that are not yours. Continue to monitor your credit reports. Equifax: (888)766-0008; www.fraudalerts.equifax.com. Experian: (888) 397-3742; https://www.experian.com/fraud/center.html TransUnion: (800) 680-7289 http://www.transunion.com/personal-credit/credit-disputes/fraud-alerts.page;

We are investigating how this breach happened and are committed to mitigating any harm as a result of this issue by interviewing people that were involved in the electronic back up process at our office and taking inventories of all of our electronic storage devices. To protect against such breaches in the future, we are only using encrypted drives and password protected devices. We are taking a very proactive and precautionary approach to the privacy of our patients but feel that it is better take an abundance of caution to these kinds of issues.

Please do not hesitate to contact us with any questions about this incident. Our address is 880 W. Church Rd. Sterling, VA 20164. Or simply contact our toll free number at (855) 281-5939. You may also reach us at our website: www.sterlingchiropractortherapy.com.

Sincerely,

John Ratcliffe DC
Clinic Director

As a way to update our records and to show goodwill to our patients and our community our office would like to extend an invitation for you to receive a FREE examination or regular office visit/therapy session for you or one of your family members. Please call us to schedule your appointment.

  • Susquehanna Health reported that 657 patients were affected by a breach on December 5, 2013 involving “Unauthorized Access/Disclosure,E-mail.” I could find no statement on their website at this time.
  • Mission City Community Network reported that 7,800 were affected by an email breach that occurred between May 31 and June 25, 2013. I could find no mention of the breach on their site or in online sources, and have emailed them to ask for an explanation of the breach.
  • Florida Healthy Kids Corporation reported that a breach involving Policy Studies, Inc. / Postal Center International, Inc. affected 580. The breach occurred between November 13, 2013 and January 29, 2014 and involved “Unauthorized Access/Disclosure” of paper records. I could find no statement on their site. This is the second breach HHS has posted for them this year  involving a vendor or business associate and paper records.
  • Group Health Plan, Inc. Medical Benefit Plan of Minnesota, the State Employee Group Insurance Plan of Minnesota, and University of Minnesota Employee Benefits all reported a breach involving HealthPartners Administrators, Inc., who posted this notice on their website:

    As an administrator of health plans, HealthPartners collects and maintains personal information about our members. We recently learned about an incident that involved some of our health plan members’ personal information.

    In addition to notifying affected members by letter, we also are posting this information to our Web site. The following information explains what happened, what it means for those affected, and how you can find answers to any questions you may have.

    What happened?

    We received a call on January 21, 2014. The call was about a HealthPartners employee who had taken home electronic files with health plan information.

    We began an investigation. We learned that this happened between 2008 and 2010. The employee showed the data to a family member to get help with the files. The files were copied to several computers and devices so the employee could work from home.

    We believe the employee and the family member meant no harm, but this was wrong. It was against our rules for handling member information. We have recovered several computers and devices involved. We continue attempts to locate any possible others.

    We are sorry that this has happened and apologize to those who have been affected.

    Was my information in the files and how can I know?

    On March 4, 2014, we were able to identify the members whose information was in the files.  We have mailed letters to those members to let them know about this mistake.

    If you did not receive a letter and still wish to verify whether you were affected or not, please call us at 1-866-316-1495.

    What kind of information was involved?

    Information that was not in the files:

        • Medical records
        • Credit card information
        • Social security numbers (with one exception, see below)
        • Member addresses
        • Member telephone numbers
        • Email addresses

    The files did include member name, date of birth, and health plan member number.

    In some cases, the files included gender, provider name and location, and a general description of health care services received, and feedback members gave to us about services they received.

    One member’s social security number was in the files.  We have already contacted that member directly by telephone.

    What is HealthPartners doing for those who were affected?

    In the notification letters we have sent to affected members, we are offering them one year of free identity protection provided by First Watch Technologies, Inc.  We are asking affected members to call 1-866-316-1495 if they would like to use this service.

    We do not believe there is risk for identity or financial theft. The shared information was limited. We do not believe the information was shared with anyone other than the employee’s family member. We also do not believe the information was used for anything other than the employee’s work.

    What is HealthPartners doing to make sure this won’t happen again?

    We regret this mistake. We promise to use what we have learned to make improvements. We are always working to do more to protect member information. For example, we encrypt all laptops, smart phones, flash drives, and other devices used for company business. This makes data unreadable if it gets into the wrong hands. We will also have more employee training about how to keep member information safe.

    Who should I call if I have questions?

    We apologize. We want to earn and keep your trust. We know that our members may have questions, so we have set up a special call center. Please call 1-866-316-1495 if you have questions or would like to talk with us more.

For this incident, 796 GHI members were affected, 1,699 State Employee Group Insurance Plan members were affected, and 715 University of Minnesota Employee Benefits members were affected.

About the author: Dissent