More on today's HHS update: newly disclosed incidents
The remainder of today’s HHS update consists of breaches I did not previously cover on this blog. I’ve added details where I can find them. If there are no details, it means I looked, but couldn’t find anything yet. If you can add/provide details, please e-mail this site.
- Metcare of Florida, Inc reported that 2,557 were affected by a breach that occurred at the beginning of May 2012, involving the “Theft,Other” of a “Portable Electronic Device.” On June 4, Metcare of Plantation posted a notification that indicated that a tablet stolen from their office held patients’ names. their date of birth, Metcare’s internal patient identification numbers, and clinical information concerning patients, including medical histories and diagnoses. The tablet had a random 10-character password, but the drive was not encrypted.
- HealthTexas Provider Network – Cardiovascular Consultants of North Texas reported that 2, 462 were affected by a breach that occurred between March 16, 2012 and May 11, 2012 involving “Unauthorized Access/Disclosure,Electronic Medical Record.” (UPDATE: see details in this May 8th post).
- CIty of Joliet in Illinois reported that Quality Health Claims Consultants, LLC was involved in a breach affecting 2,573 patients on October 8. The breach was described as “Unauthorized Access/Disclosure,E-mail.”
- Medical Mutual of Ohio reported that 643 were affected by a breach on October 16-17 involving “Unauthorized Access/Disclosure,Paper”
- Molina Healthcare of Texas reported that 2,826 were affected by a breach discovered on October 1. On November 22, Molina sent a letter to all parents and guardians of current and former CHIP members explaining:
Your child’s Molina ID card was mailed to another Molina member in error. Your information was added to the wrong head of household. This happened when your child’s new CHIP ID number was added to our computer system. The PHI that was part of the breach was: Your child’s Name, Member ID Number, Date of Birth, Coverage Effective Date, and Assigned Primary Care Provider.
- Jones Chiropractic and Maximum Health of Indiana reported that 1, 500 patients were affected by the theft of a desktop computer on October 13. I was able to locate a statement they posted on their site:
On October 13th 2013, our office was broken into and the following items were stolen. TV, DVD, petty cash, and a computer. The items have not been retrieved according to the Westfield Police Dept. Noone has been arrested as of now. The computer taken did have all of our patient informati0n on it. Our computer DID NOT have any credit card information on it though. There are some social security numbers on the computer because a person’s medicare number on their insurance card IS their social security number. We did have standard username and password protection. The computer required a password to logon to the computer, and a separate username and password to logon to the patient information program. Please feel free to call or email with any questions to us or the Westfield police department. You can contact a credit reporting agency to monitor your credit history to help protect yourselves.
- Ronald Schubert MD PLLC of Washington reported that 950 patients were affected by a laptop theft on November 22nd.
- Blue Cross and Blue Shield of North Carolina reported that 687 were affected by a breach on October 14 involving “Unauthorized Access/Disclosure,Paper.” This entry is a duplicate of one they added a few weeks ago, for which I could find no information.
- Puerto Rico Health Insurance Administration (PRHIA), reported that Triple S Salud Inc. was involved in a breach affecting 13,336 on September 20 involving “Unauthorized Access/Disclosure,Paper.” Triple-S Salud also reported a breach on that date, affecting 70,189 involving “Unauthorized Access/Disclosure,Paper,” so the PRHIA data might be part of that, but then who else was affected? Triple-S Salud has been involved in a big breach before (see here) and the Puerto Rican government had fined Triple-S Salud in the past, although I’m unsure as to the outcome of their appeal of the fine.
- Associated Urologists of North Carolina reported that 7,300 were affected by a breach that went on for a year beginning September 17, 2012 involving “Other,Other.” How’s that for an unhelpful entry, right? I’ve found nothing via a Google search or a search on their web site so far.
- Kemmet Dental Design of North Dakota reported that 2, 000 were affected by a breach on November 10 involving “Theft, Other”,Paper”
- The Good Samaritan Health Center of Georgia reported that 5,000 were affected by a breach on November 6 described as “Other,Desktop Computer.” A statement they posted on December 27 says:
Atlanta, GA December 27– On November 6, 2013, The Good Samaritan Health Center experienced a security breach of its server by a malware encryption of files. The encryption affected multiple files including approximately 5,000 patient files from 1998-2009 for patients who had not been seen at The Center in the 3 years prior to 2013. The files were encrypted and rendered inaccessible; no information from those files was accessed through the breach. With the assistance of a third-party IT firm, The Good Samaritan Health Center acted immediately to investigate the breach and to implement additional measures for secure file backup and improved antivirus software. We are also working with the third-party firm to restore the affected data. Additionally, The Center has alerted the Secretary of Health and Human Services and is utilizing all available options to alert former patients who may have been affected. At this time, patients do not need to take any further action to protect their personal security.
- Walgreen Co. of Illinois reported that 17,350 were affected by a breach on September 18 – October 4 described as “Other,Paper.” How can there be such large breaches and we hear nothing about them in the media?
- Methodist Dallas Medical Center of Texas reported that 44,000 were affected by a breach beginning in September 2005 and continuing until August 1, 2013. The breach was coded as “Unauthorized Access/Disclosure,Other.” A statement on their website dated December 9 says, in part:
This is to notify patients of Methodist Dallas Medical Center of a possible breach of data containing identity information. This involves patients who received inpatient or outpatient surgery between September 2005 and August 2013 at Methodist Dallas Medical Center. It has been determined that information concerning their surgery may have been transmitted or stored on an Internet-based email service which, while password protected, does not meet Methodist’s guidelines for data storage security. The data stored with the Internet service provider included the patient’s name, patient hospital account number, date and time of scheduled surgery, birth date, surgeons’ names and a brief description of the operative procedure. The data DID NOT include any other identifying information. While every indication is that the data was only accessed for patient care purposes, in the interest of patient security and transparency and our obligation to report any potential for unauthorized access to personal health information to federal agencies, we are notifying all patients whose information was or may have been stored or transmitted using this service. The service provider has confirmed that all Methodist Dallas Medical Center patient information has been deleted from the Internet-based service. Letters were mailed to affected patients December 6, 2013.
- Northside Hospital, Inc. of Georgia reported that 4,879 were affected by a laptop lost on October 10. From their statement:
On October 11, 2013, we discovered that a password protected, unencrypted laptop containing some limited patient information had been lost. Upon learning of the missing laptop, a thorough investigation was undertaken. The laptop was used to list lab information and charges and may have included patient names, account numbers, lab results, billing dates, dates of service, diagnosis or diagnosis codes, lab results, and a limited number of Social Security numbers. No financial information was included on the laptop.
- Health Help, Inc. in Kentucky reported that 535 patients were affected by a breach on October 15 coded as “Theft,Other Portable Electronic Device.”
- Mosaic in Nebraska reported that 3,857 were affected by a breach on October 11th coded as “Other,E-mail.” A notice on the non-profit’s site says:
On October 16, 2013, Mosaic discovered that client information was in an email account of an employee who had fallen victim to an email phishing scam on an unknown date. Mosaic has taken actions to secure the email account and law enforcement has been notified. Phishing is an email scam that seeks to acquire information by masquerading as a trustworthy entity in an electronic communication. These email scams have become increasingly convincing and sophisticated in recent years.
During it investigation, Mosaic discovered that other Mosaic employees had been deceived by a similar phishing email scam. All affected email accounts were secured and passwords were changed. Mosaic undertook a comprehensive review of the affected email accounts and confirmed that they contained client information used by Mosaic for administrative purposes and may have included clients’ names, dates of birth, addresses, telephone numbers, birth certificates, driver’s licenses or government–issued identification cards, medical record numbers, insurance identification numbers, insurance/client payments, Medicaid and Medicare numbers, limited clinical information (which may include, but is not limited to: incident reports, diagnoses, procedures, prescription information), and, in some instances, Social Security numbers and financial account information.
At this time, all evidence suggests that the main target of this scam was the financial information of Mosaic. However, Mosaic was unable to confirm whether the unknown party accessed information contained in the emails, and therefore, as a precautionary measure, began sending letters to affected clients on December 11, 2013. Mosaic is offering to eligible affected clients a complimentary one-year membership in Experian’s ProtectMyID Alert credit monitoring and identity theft protection services.
Mosaic also has established a dedicated call center for clients to call with any questions. If you believe you are affected, but have not received a letter by December 20, 2013, please call 1-877-238-3229 Monday through Friday between 8:00 a.m. and 5:00 p.m. Mountain Time (closed on U.S. observed holidays), and provide the following ten digit reference number 2465120513 when prompted.
We deeply regret any inconvenience this may cause. Mosaic is committed to protecting your information. To prevent a similar incident from happening in the future, Mosaic is conducting a comprehensive review of its information security practices and procedures, as well as
re-educating employees regarding online security awareness.
- New Jersey Department of Human Services reported that a breach involving Island Peer Review Organization (IPRO) on October 18 affected 9,642. The breach was coded as “Loss,Other Portable Electronic Device.” I was able to locate a notice that says, in part:
Trenton, NJ, November 21, 2013—IPRO, a New York-based healthcare evaluation company that contracts with the State of New Jersey to review confidential Medicaid managed care plan information, today announced a data breach involving client information.
The company learned that one of its employees lost a USB thumb-drive that contained personal information, including names, social security numbers and other sensitive health information. It also may have included birthdates and addresses.
IPRO is sending written notice to New Jersey Medicaid clients whose personal health information was compromised. IPRO has also taken disciplinary and corrective actions.
- Shiloh Medical Clinic in Montana reported that 1,900 were affected by a November 8th incident coded as “Unauthorized Access/Disclosure,”Desktop Computer, E-mail”
- Tranquility Counseling Services in North Carolina reported 1,683 were affected by a breach on November 1 involving “”Other,Paper.”
In addition to the above, there were 3 other entries in the breach tool recently that I didn’t know about but was unable to find any details for:
- Spirit Home Health Care in Florida reported that 603 patients were affected by a breach on September 19 involving the improper disposal of paper records.
- Reimbursement Technologies of Pennsylvania reported that 2,300 patients were affected by a breach that occurred between May 1 to July 26, incolving “Unauthorized Access/Disclosure,Network Server”
- Blue Cross and Blue Shield of North Carolina reported 687 were affected by a breach on October 14 involving “UnauthorizedAccess/Disclosure,Paper”