Newly revealed incidents from HHS's breach tool
HHS recently updated its breach notification tool and added seven incidents that have not been previously reported on this blog.
In the first incident, Robert S. Smith, M.D., Inc. of Georgia notified HHS that a laptop theft on October 17, 2011 affected 17,000 patients. In researching this incident, I found a breach notification:
HIPAA Breach Notification
Information on the limited theft of patient information.
On October 17, 2011, there was a “smash-and-grab” break-in at the offices of Robert S. Smith, M.D., Inc. (the “Lab”), and a laptop was
stolen. The laptop contained limited information for some patients of the Lab that included name, date of birth, physician and diagnosis. There was no financial information or other sensitive information such as Social Security number included on the laptop.
The police discovered the theft shortly after it happened, and a report was filed. We believe the motive for this crime was for the laptop itself and not for the limited patient information the laptop contained. For this reason, we believe any risk to patients resulting from the theft is very low.
The Lab takes the privacy of its patients very seriously. In light of this theft, we are reviewing and revising its policies and procedures to safeguard against any future incidents.
The Lab is also notifying its patients of the theft via mail. Should you have any questions, please contact the Lab Management at 1-888-263-0388 between 9am and 5pm EST.
The second incident is intriguing as it may have occurred over more than a two-year period:
Molina Healthcare of California,CA,,”11,081″, 09/23/2009 -10/18/2011, Unauthorized Access/Disclosure,Paper,1/31/2011,
No information seems to be available online about this incident.
Aegis Sciences Corporation of Tennessee reported that 2,184 were affected by the theft of a laptop. This incident was previously covered on databreaches.net.
Smile Designs of Florida reported that 1,670 were affected by a computer theft on or about December 1. So far, I haven’t found any details on this incident.
Foundation Medical Partners of New Hampshire reported a breach that occurred on November 19 involving 771 patients’ records. So far, I haven’t found any details on this incident.
Muskogee Regional Medical Center in Oklahoma reported that 844 patients were affected by a loss that occurred on December 5. A breach notice on their web site says:
POTENTIAL BREACH OF PATIENT INFORMATION AT MUSKOGEE REGIONAL MEDICAL CENTER
Muskogee, Oklahoma – On December 6, 2011, Muskogee Regional Medical Center (the “Hospital”) learned that a binder containing paper forms with flu test results for 2011 was missing from the Hospital’s Laboratory Department. We believe the binder was lost on or about December 5, 2011. The information that was lost involved Hospital inpatients and outpatients receiving flu tests between January 1, 2011 and December 5, 2011. To date, we are unaware that any personal information has been misused by any unauthorized person.
The information contained in the binder included the patient’s full name, internal hospital department and internal account number, gender, medical record number, date of birth and age, date of test, and flu testing results noted as positive or negative. No other health information was contained in the log. No other financial information such as social security number or outstanding balances was contained in the binder.
Once the binder was identified as missing, the Hospital promptly began an investigation and a search of the Hospital’s Laboratory Department and surrounding areas. The binder was not located and remains missing.
To protect against further potential breaches, paper laboratory log books have been discontinued and only electronic logs will be used. In addition, the entire Laboratory Department received additional training on safeguarding patient information.
Patients who have any questions or would like further information should contact Amy Box, Privacy Officer and Director of Health Information Management, at 918-684-3578, or via e-mail at [email protected], or at MRMC, 300 Rockefeller Drive, Muskogee, OK 74401. Additionally, patients may call 1-800-722-9608 and ask for Amy Box, the Hospital’s Privacy Officer. This hotline number will remain in effect for at least 90 days.
This announcement is a substitute notice under the HIPAA notice of breach rules.
Concentra Health reported that 870 individuals had data on a laptop that was stolen on November 30. A statement on Concentra’s web site says:
Concentra Notifying Springfield-Area Patients About Security Breach
During a recent burglary at the Concentra Medical Center in Springfield (1308 N. Glenstone Ave.), an unencrypted laptop computer was stolen from the facility. The computer contained the names, Social Security Numbers and pre-employment work-fitness test results of approximately 900 Concentra patients from the Springfield area.
At this time, Concentra has no reason to believe that the information has been used inappropriately. Concentra has notified all of the patients whose information was on the computer, and will provide them free access to a credit-monitoring service that can help protect against potential misuse of their information. We are strongly encouraging these patients to enroll for the free service.
While Concentra has policies and procedures in place to maintain the security of its patients’ information, we are taking additional steps as a result of this incident. These steps include a comprehensive review of our technical security procedures and conducting an inventory and review of all equipment that maintains protected health information in Concentra’s Springfield Medical Center, to ensure that all of this equipment has been encrypted.
Patients who have any questions about this may contact Concentra via e-mail at [email protected], or by phone at 1-800-819-5571, from 9 a.m. to 5 p.m. Any Concentra patient who believes their information is being used by another party is urged to contact Concentra’s Privacy Office, so that Concentra can work with the patient and law enforcement officials to promptly investigate the matter.