More additions to HHS's breach tool

Two updates within a week? The HHS breach tool is getting a workout.  Here is what was added today:

Sovereign Medical Group, LLC in New Jersey reported that 27,800 were affected by a breach on October 10, 2012. HHS’s breach tool codes the incident as “Theft, Hacking/IT Incident”, Network Server,” which probably means a hack, but I’ve found no media coverage of this breach and have sent them an inquiry.

South Jersey Hospital Inc. disclosed in January that they were affected by the Omnicell breach reported previously on this blog. Why their report to HHS is first appearing on HHS’s breach tool is unclear to me: were they late in notifying HHS, or did HHS delay posting this while they investigated? HHS has informed me in the past that they do not add incidents to the breach tool until they’ve done a preliminary verification of certain details. Looking at the other entries in this latest batch, my guess is that HHS delayed posting these incidents while they investigated.

Hawaii State Department of Health, Adult Mental Health Division disclosed a breach in October 2012 that is also first appearing on HHS’s breach tool. According to the entry, 674 clients were affected by a hack that occurred on September 25, 2012.

L.A. Care Health Plan in California reported that 18,000, were affected by an unspecified breach that occurred between September 17 and September 20, 2012. That breach had previously been reported on this blog and involved a mailing error that sent members’ IDs to the wrong addresses.

Calvin Schuster, MD of California reported that 532 patients had data on a computer stolen November 14, 2012. That breach was previously reported on this blog. Somewhat confusingly – or perhaps it’s a typo on HHS’s tool or in the doctor’s letter to patients – the log entry shows the theft occurred on November 14, while Dr. Schuster’s letter to patients says they learned of the breach on November 5.

SilverScript Insurance Company in Arizona, a CVS Caremark company and Medicare Part D Plan insurer, reported a breach affecting 852 patients on October 31, 2012. That breach involved paper records,  and might be a mailing error, but I can find no documentation of this breach available online.

Raleigh Orthopaedic Clinic in North Carolina’s breach affecting 17,300 patients was also added to the breach tool. That incident, involving stolen x-rays, was previously reported on this blog.

About the author: Dissent