Oh, so that's what happened?
One of the (all too many) frustrations with trying to learn from HHS’s public breach tool is that they do not let us know when they’ve updated an older entry or closed an investigation.
In December of 2012, I had reported three additions to the breach tool for which I could find no information online. The first was
“Surgical Associates of Utica, PC”,NY,”Quanterion Solutions, Inc.“,1017,9/18/2012,Theft,Network Server,11/16/2012,,
but could find no information anywhere.
Today, I happened to stumble across the fact that HHS had closed its investigation of the breach, and had added a summary of the breach and investigation back in June:
An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity’s (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver’s license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR’s investigation, the CE executed a BA agreement.
HHS also closed its investigation of a second breach that had been entered as:
“First Step Counseling, Inc.“,NJ,,638,5/1/2011-08/05/2011,Unauthorized Access/Disclosure,Paper,11/16/2012,,
Their summary for that breach was:
Two of the covered entity’s (CE) employees photocopied documents containing 638 patients’ protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI. The CE provided breach notification to the affected individuals, HHS and the media. As a result of OCR’s investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock. Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk. The CE also reviewed and revised its consent forms and retrained all staff.
As to the third breach I had noted in that 2012 post:
Well, that one appears without any summary, but the November 2012 date of uploading to the site seems to have been changed to January 23, 2014.
Looking at HHS’s site, there are many breaches where summaries have been entered for older breaches, and I can see where there should be a lot of updating of research databases.