Remember the Advanced Data Processing/Intermedix insider breach of 2012 where a rogue employee provided ambulance patient identity information to others involved in a tax refund fraud scheme? I had covered it on PHIprivacy.net (cf here and here for just two of the posts) and also on this site (cf, this post). In reporting on the breach, one of the things I noted was that although the breach was first disclosed in November 2012, some people were first being notified months and even years later. The most recent batch of notifications stemming from the breach appear to relate to Philadelphia EMS patients, According to media coverage, ADPI first notified Philadelphia in February, 2015 and it took until mid-April for the city to notify its affected residents. But why did it take so long for ADPI to determine that Philadelphia patients were impacted or to notify the city? Yehonatan Weinberg, a Philadelphia resident who used the ambulance service during the critical period in 2012 and who subsequently became a victim of tax refund fraud, has now sued ADPI and Intermedix over the breach. The complaint, which uses HIPAA and NIST standards to argue what Intermedix should have (but allegedly didn’t) do, alleges negligence, breach of fiduciary duty, and restitution/unjust enrichment. In its early notification letters, ADPI/Intermedix offered a year of free credit monitoring services with Experian ProtectMyID. But what happened to people who became identity theft/fraud victims before Intermedix ever notified them? Did Intermedix then offer them identity theft restoration services? Intermedix has not responded to an email inquiry sent this afternoon. This post will be updated if they respond. On August 5, one day after the complaint was filed in federal court in the Southern District of Florida, Judge Beth Bloom denied the motion for class certification as premature. As her order explains, the plaintiff’s fear that class certification might be mooted by a “buy off” offer from the defendant does not apply in the Eleventh Circuit as long as theplaintiff has not failed to diligently pursue class certification. The motion was denied without prejudice. Elsewhere, and according to HHS’s public breach tool, HHS’s investigation into the breach appears still open. Because FTC generally does not make its investigations public, it is not known whether they, too, may be investigating ADPI over this breach.
I have to confess I was somewhat surprised to see that HHS’s public breach tool is still adding affected entities to the Advanced Data Processing incident. Whether HHS is just getting around to adding them or whether the entities are first discovering and/or reporting that their patients were involved is not known to me. Readers may recall that breach as a rogue insider who stole and provided PHI for a tax refund fraud scheme. This week, there were three ADP-related entries, although one of them appears to be just a summary of the other two and should probably be removed from the breach tool to prevent double-counting: The Alexandria Fire Department in Virginia reported that 1,669 patients were affected by the incident, while Heard County EMA in Georgia reported that 672 of their patients were affected. Of note, the ADP entry in HHS’s public breach tool does not yet have a summary, which may mean that HHS’s investigation into this insider breach may be ongoing.
Friday afternoon and HHS has added dozens of new updates/revisions to the breach tool – after adding dozens more during the week? Yikes. As before, some of them appear to be older incidents that had never been posted publicly while others are more recent. One change that I noted immediately is that they’ve now organized the Advanced Data Processing breach that I’ve covered on this blog before (see previous posts). Their entry shows that the following covered entities were all affected by the insider breach for tax refund fraud that they code as “theft” from “desktop computer:” 1st response Medical Transpot Corp. City of North College Hill Okaloosa County Public Safety Sumner County Emergency Medical Services City of Seguin – Fire/EMS Department City of Overland Park Fire Department Osceola County EMS City of Gloucester, Fire Department Washington County EMS City of Covington Kentucky Fire Department Sandoval County Fire Department Frederick County Division of Fire Rescue Village of North Palm Beach Fire Rescue Bonham Fire Department North Lake Tahoe Fire Protection District Tahoe Douglas Fire Protection District McAlester Fire/EMS City of Blue Springs EMS City of Azle Fire Department City of Casselberry Harris County Emergency Corps Valparaiso Fire Department City of Victoria Fire Department City of Yuma City of Atlanta/ Atlanta Fire Rescue Department Omaha Fire & Rescue City of Omaha City of Berkeley Cumberland County Hospital System, Inc. Grady Health System City of Los Angeles/Los Angeles Fire Dept. City of Corona City of Yuma City of Omaha HHS shows the total number affected as 32,000. You can compare their list to the list I had constructed with numbers based on my research, here. One implication of their reorganization should be that this should now be counted as (just) one incident instead of multiple incidents as they originally showed it. Unfortunately, the breach tool still shows these as individual incidents, many of which do not even list Advanced Data Processing as the involved business associate. I’ll get to the other 3 dozen+ additions to the breach tool as time permits over the weekend.
HHS updated its breach tool yesterday. The following is an annotated list of new entries on their list. It is not clear to me why there are breach entries where the breaches occurred in 2011 or 2012. Did HHS delay in adding incidents to the breach tool or are entities first discovering and/or reporting the incidents? Unfortunately, HHS’s breach list does not include a field for the date on which the incident was reported – only the date that HHS adds it to the list. The following are newly added incidents for which we already had some information: UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, reported that 596 patients had PHI on the laptop reported missing or stolen. The Olson & White Orthodontics burglary was reported to HHS with the same details as previously reported on this blog. The City of Seguin,TX reported that 839 patients were affected by the Advanced Data Processing (ADPI) breach in 2012, while Washington County EMS,TX reported that 1,435 of their patients were affected and the City of North College Hill reported that 555 of their patients were affected. For all previous coverage on this blog of ADPI’s breach, click here. Parkview Community Hospital Medical Center in California reported that 32,000 of its patients were affected by the Cogent Healthcare breach caused by a firewall error by its transcription service vendor, M2ComSys. It’s a bit surprising to see one hospital report 32,000 since media reports at the time suggested it was 32,000 total. The number of Parkview patients needs to be confirmed, as they may have been reporting the total number from Cogent and not just their portion. Jackson Health System in Florida reported that 1,471 patients had PHI in boxes of records that were discovered missing or unaccounted for. The boxes were discovered missing in January. St. Anthony’s Physician Organization in Missouri reported the July 29 theft of a laptop with PHI of 2,600. The laptop was stolen from a physician’s car. Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group reported the theft of computers containing PHI on 4,029,530 patients. The following are incidents that were not previously noted on this blog: The Kaiser Foundation Health Plan of the Northwest reported a breach affecting 647 patients that occurred on March 15, 2013. This does not appear to be the same breach reported recently on this blog, but as yet, I’ve found no details on it, and e-mailed Kaiser Permanente to request information. Update 1: Kaiser Permanente Northwest replied to my inquiry with the following statement: Kaiser Permanente Northwest recently discovered that an employee viewed medical records without proper authorization. A comprehensive investigation of the incident has been completed and state and federal regulatory agencies notified. Notification letters have been mailed to every affected Kaiser Permanente member. Our internal investigation of this matter shows: There is no evidence that information was viewed by the employee for the purpose of fraud or other criminal activity. The employee had no access to Social Security numbers, credit card information, or records through Mental Health or Addiction Medicine specialties. There is no evidence that the employee retained, maintained, or stored any of the information contained in the medical records. Summit Community Care Clinic in Colorado reported that 921 patients were affected by a Hacking/IT incident that occurred July 22. There is no statement or notice on their web site at this time, and PHIprivacy.net e-mailed them to request information. (see update HERE). Minne-Tohe Health Center/Elbowoods Memorial Health Center in North Dakota reported a breach affecting 10,000. The breach reportedly occurred October 1, 2011, and involved “Improper Disposal, Unauthorized, Access/Disclosure”,”Desktop Computer, Other.” Clear as mud, right? I have no idea what happened there or why it took almost two years for this to show up on HHS’s breach tool. This one may require a phone call. Logan Community Resources, Inc. in Indiana reported that 2,900 were affected by a “Hacking/IT Incident” that occurred on August 24, 2012. Again, I could find no information online a year after the breach, and so sent an e-mail requesting details of the incident. St. Francis Health Network, aka Franciscan Alliance ACO in Indiana reported that a breach involving Advantage Health Solutions affected 2,575 patients. The breach occurred on October 19, 2012. The log entry does not appear to be related to this breach report from July involving Advantage Health Solutions, and PHIprivacy.net has e-mailed Franciscan Alliance ACO to ask for details on the incident. Because email inquiries sent yesterday have not yet received any replies, do check back to see if this post is updated with additional details.
On Friday, HHS added 14 new incident reports to its breach tool. Half of them are organizations affected by the ADPI breach, and I’ve added their numbers to the list I’ve been keeping of affected organizations and number notified of that incident. Another breach HHS added today was one already covered on this blog. That left five incidents we didn’t already know about: Coastal Behavioral Healthcare, Inc. in Florida reported that 4,907 patients were notified of the theft of paper records back on April 11, 2011. A statement dated December 12 on Coastal’s web site says, in part: Coastal Behavioral Healthcare, Inc. (“Coastal”) became aware of a breach of patient information on October 10, 2012 when a law enforcement officer contacted Coastal to report discovery of a list, dated April 2011, of approximately 136 Coastal patient names and identifying information found in a vehicle during a traffic stop. Coastal has been conducting an internal investigation to determine how this information may have illegally been removed from Coastal premises and is cooperating fully with law enforcement in the prosecution of the individuals who possessed the information. As part of our investigation, we have determined that it is possible that additional patients may have been affected; therefore, to protect our patients we are notifying all patients whose information we believe could have been compromised. James M. McGee, D.M.D., P.C. in Stone Mountain, Georgia reported that 1,306 dental patients were notified of a September 19, 2012 incident involving the theft of paper records. There is no statement on his web site that I can find and no media coverage that I can find at this time. Robbins Eye Center in Bridgeport, Connecticut reported that 1,749 patients were notified after an October 7 incident involving theft of data (possibly theft of the computer itself?). There is no notice on their web site at this time, and I can find no media coverage or substitute notice. Vidant Pungo Hospital in Belhaven, North Carolina notified 1,100 patients after an October 4 incident involving the improper disposal of paper records. I was able to find a breach notice linked from their home page. Of note, they report: Specifically, the paper jackets that held one or more old radiology films were improperly discarded with office trash, picked up by a sanitation company, and disposed of in a landfill. The information contained on the paper jacket was limited to name, address, date of birth, age, sex, race and the date and name of the radiology procedure prior to May of 2012. The radiology films themselves were not disclosed, nor was any financial information. Brigham and Women’s Hospital in Boston notified 615 patients after an October 16th incident. There is no notice on their web site at this time. Nor does there appear to have been any press release issued. Interpreting HHS’s “Theft, Desktop Computer” is a … well… it’s a crapshoot. It could be a computer was stolen or it could be that an employee stole data from from the desktop computer. Have I mentioned how I wish HHS would change their reporting form to make this clearer in the breach tool?