A notice on Maryville Academy‘s web site says:
Notice To All Current and Former Maryville Academy Residents and Clients Who Received Services Between 1992 and January 25, 2011:
Maryville Academy has suffered a breach in the security of its data involving the records of children and adolescents who have received services between 1992 and January 25, 2011. Although the records included information from Maryville programs operated at various times, Maryville believes from its investigation into the matter that the breach primarily involved records generated in connection with programs conducted by Maryville at its Des Plaines and Bartlett campuses and various programs in Chicago and Des Plaines campuses that are no longer operating. No original documents or records from Maryville’s Scott Nolan psychiatric hospital, the Children’s Healthcare Center, the Crisis Nursery or the Paulina Shelter were on these back-up hard drives, and therefore, are not impacted by this breach.
What happened, including the date of the breach and when it was discovered:
The breach occurred at a Maryville Academy facility located in Des Plaines, Illinois. Three secondary back-up portable hard drives were removed from a locked room used as a secure area to maintain a secondary back-up copy of some electronic records for Maryville’s service programs. The breach occurred sometime between January 25, 2011 and February 1, 2011. The breach was discovered on February 1, 2011.
A description of the types of unsecured protected health information involved in the breach:
This secondary back-up hard drive contained unsecured protected health information on 3,897 children and adolescents who have received various services at Maryville Academy, including, but not limited to, their names, dates of birth, Department of Children and Family Services identification numbers and historical information on the child and family, medical and behavioral health services, treatment plans, medications, and reports concerning their daily activity and behavior. These records contained some Social Security numbers.
What steps individuals should take to protect themselves from potential harm resulting from the breach:
Maryville Academy has received no information to indicate that anyone has attempted to access, use, or disclose this data. However, as a further precaution, the following steps may assist you in preventing any future misuse of your private information:
1.) Any person who thinks he or she has been potentially harmed by this breach should contact Maryville Academy at [email protected] or at Maryville’s address listed below about any questions or concerns they may have. Maryville Academy’s designated staff will assist in determining if the person’s protected health information or any other private and personal information was actually contained on the missing secondary portable hard drive.
2.) If it is determined that a person’s protected health information was contained in records on the missing secondary hard drive, the affected person should go to www.AnnualCreditReport.com and request a free credit report. By reviewing their credit report, the affected person can discover if anyone has attempted to make a purchase, open up or access bank accounts, applied for, received or used a credit card, or engaged in other illegal uses of the personal information of the affected individual. If an affected individual desires, Maryville Academy will provide assistance in protecting the affected person’s personal information.
3.) If you determine that your protected health information was contained in the records on a missing hard drive, you may want to check all bank accounts, credit card records, utility records and any other personal financial records to see if there were any unauthorized purchases, services requested, withdrawals of money, or other unauthorized acts signifying that someone may be trying to illegally use your personal information. Any attempt to use your information is a crime and should be reported to your local police department.
What Maryville Academy is doing to investigate the breach, to mitigate potential harm to affected individuals, and to protect against any further breaches:
A thorough investigation has been conducted under the coordinated oversight of Maryville’s Director of Operational Services, Compliance Officer, and Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Officer. The investigation has included the review of relevant information and documentation. Interviews were conducted with persons who had access to the locked room, knowledge of Maryville’s data security policies and procedures, and/or knowledge of the contents of the missing hard drives and the ability of an unauthorized person to access, use, or disclose any of the information on the missing hard drives. All data security policies and procedures have been reviewed and updated, including the maintenance of backup hard drives. To protect against any future breaches, Maryville Academy has changed the location of its local site and the manner for storing any back-up hard drives and has upgraded the security for this purpose. In addition, Maryville Academy is now in full compliance with the U.S. Department Health and Human Service’s recommended procedure of using data encryption to protect client’s health information. Maryville Academy has begun a practice using specialized security software to completely encrypt all records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future.
Contact procedures for individuals to ask additional questions or learn additional information:
If you think your private information may be included in this breach, or you think that your privacy or security has been harmed by some unauthorized person, or would like to ask additional questions, please contact Maryville Academy, 1150 North River Road, Des Plaines, IL. 60016. Beginning the week of March 28, 2011, you will be able to call Maryville Academy at a toll-free telephone number. You can also contact Maryville Academy at the following email address: [email protected].
Information about this data breach will be posted on Maryville Academy’s web site – www.maryvilleacademy.org for a period of 90 days, starting on March 25, 2011 to June 22, 2011.
From my perspective, it’s a good notification in terms of being clear as to what happened and what kinds of information were involved. It’s unfortunate that they had not encrypted the back-up drives as it really could saved a lot of time and expense now – apart from any concerns about sensitive information on children winding up in the wrong hands or being misused for non-financial purposes.