Oh, so that's what happened?

One of the (all too many) frustrations with trying to learn from HHS’s public breach tool is that they do not let us know when they’ve updated an older entry or closed an investigation.

In December of 2012, I had reported three additions to the breach tool for which I could find no information online. The first was

Surgical Associates of Utica, PC”,NY,”Quanterion Solutions, Inc.“,1017,9/18/2012,Theft,Network Server,11/16/2012,,

but could find no information anywhere.

Today, I happened to stumble across the fact that HHS had closed its investigation of the breach, and had added a summary of the breach and investigation back in June:

An unencrypted thumb drive that contained the electronic protected health information (ePHI) of 1,017 individuals was stolen by an employee of the covered entity’s (CE) business associate (BA), Quanterion Solutions, Inc. The ePHI included names, addresses, dates of birth, driver’s license numbers, social security numbers, claims information, clinical information, diagnosis/conditions, lab results, treatment information, and medications. Upon discovery of the breach, the CE, Surgical Associates of Utica, PC, filed a police report and the employee was arrested. The CE provided breach notification to HHS, the media, and affected individuals and provided credit monitoring services for these individuals. As a result of OCR’s investigation, the CE executed a BA agreement.

HHS also closed its investigation of a second breach that had been entered as:

“First Step Counseling, Inc.“,NJ,,638,5/1/2011-08/05/2011,Unauthorized Access/Disclosure,Paper,11/16/2012,,

Their summary for that breach was:

Two of the covered entity’s (CE) employees photocopied documents containing 638 patients’ protected health information (PHI) and disclosed the documents to their attorney. The PHI included names, insurance numbers, diagnoses, dates of birth, telephone numbers, and social security numbers. Upon discovery of the breach, the CE hired attorneys to seek immediate return of all photocopies that contained the PHI. The CE provided breach notification to the affected individuals, HHS and the media. As a result of OCR’s investigation, the CE transferred to an electronic billing system that is password protected and secured patient files with a lock. Further, the front desk has been positioned by a protective window and policies have been implemented to prevent patients from standing beside the reception desk. The CE also reviewed and revised its consent forms and retrained all staff.

As to the third breach I had noted in that 2012 post:

“CVS Caremark”,RI,,955,8/13/2012,Theft,Paper,11/16/2012,,

Well, that one appears without any summary, but the November 2012 date of uploading to the site seems to have been changed to January 23, 2014.

Looking at HHS’s site, there are many breaches where summaries have been entered for older breaches, and I can see where there should be a lot of updating of research databases.

About the author: Dissent

4 comments to “Oh, so that's what happened?”

You can leave a reply or Trackback this post.
  1. Anonymous - September 22, 2014

    Since it is also published in XMP, it would be trivial to write a script to compare 2 versions and post the diff.

    • Anonymous - September 22, 2014

      ChangeDetection.com is of no help here. Do you know of any similar site that could? The fact that they don’t add incidents to the end of their list also makes spotting changes difficult, e.g., in some cases, they seem to just add a breach anywhere instead of after the last new entry.

      • Anonymous - September 22, 2014

        You can just download the XML file, wait a week and download it again, and then compare the 2 with winmerge CLI, (or diff if using linux) – that can all be rolled up into a batch or bash script and then automatically run with scheduled programs or cron… you could even get fancy and have it send you an email or post to your twitter

  2. Anonymous - September 22, 2014

    er, XML that is 😀

Comments are closed.