Froedtert's alleged lack of cooperation in breach investigation has Milwaukee considering litigation

Things seem to be getting increasingly ugly between the City of Milwaukee and Froedtert Community Health/Workforce Health after the Dynacare breach mentioned previously on this blog. The city council voted to delay implementation of Phase 2 of its wellness program for employees that was to have been operated by Froedtert Community Health/Workforce Health. The city is also grumbling and threatening litigation against Froedtert if it doesn’t get more cooperation from them on the breach investigation. Brandon Cruz has the story, and it’s a useful reminder that if your vendor or business associate screws up or otherwise fails to comply with security protections in your contract, you may wind up losing the good will – and business – of your clients.  In this case, I do not know what Froedtert’s contract with Dynacare called for in the way of encryption on portable devices or whether there was even a contract in place. Inquiries sent to Froedtert last night and again today were not responded to. Froedtert’s alleged lack of cooperation with the city is also problematic, as you might think they’d want to distance themselves from Dynacare by aligning with the city as a fellow victim. But Froedtert reportedly has an ownership interest in Dynacare, even though the operations of the latter are overseen by LabCorp. One of the questions in the inquiry Froedtert did not respond asked whether Froedtert’s ownership interest was influencing their cooperation with the city. While I hate to use the old “If you have nothing to hide…” line, it’s tempting to apply it here.  Certainly Froedtert’s breach response is not what their client expected and demanded after the breach. Froedtert was also asked whether they felt they had given Milwaukee full cooperation in the breach investigation, or what Milwaukee was demanding that they had not provided. Sadly that question went unanswered, too.  

WI: Flash drive with personal information of thousands of City of Milwaukee employees stolen from contractor’s car

Dan Walker reports: A flash drive containing the personal information of thousands of City of Milwaukee workers was stolen along with the car of an employee of a health care firm that contracts with the city. The employee worked for Dynacare Laboratories, a contractor used by Froedtert Health Workforce Health in connection with the city’s wellness program. The flash drive contained personal information, including names, addresses, dates of birth, Social Security numbers and gender. Mayor Tom Barrett said Friday night that approximately 6,000 city employees were affected. In addition, the names of approximately 3,000 spouses and domestic partners of those workers also were on the flash drive, but their Social Security numbers were not included. No financial information, medical records or test results were included in the database. Read more on the Journal Sentinel. The story does not specifically say the data weren’t encrypted, but it would seem that they weren’t. If that’s the case: (1) Why weren’t the data encrypted? Did this violate the city’s policy, Froedtert’s, or Dynacare’s policies or contracts? (2) Why were the data on a flash drive? Did Froedtert’s contract with Dynacare permit personally identifiable information to be copied onto portable devices that leave the premises? (3) Why, if the drive was stolen on October 22, did it take so long for Dynacare to notify the city? I imagine there will be a serious investigation into this as well as some finger-pointing. Where does the buck stop on this one? With Froedtert because Dynacare was their contractor? Use the Comments section below to discuss.

Two more newly revealed breaches

There are two newly revealed breaches on the HHS/OCR web site that were not previously reported in the media: Laboratory Corporation of America/Dynacare Northwest, Inc. State: Washington Approx. # of Individuals Affected: 5,080 Date of Breach: 2/12/10 Type of Breach: Theft Location of Breached Information: Laptop Lee Memorial Health System State: Florida Approx. # of Individuals Affected: 3,800 Date of Breach: 1/29/10 Type of Breach: Other Location of Breached Information: Paper Records Of the  new additions to the web site,  two had been previously reported in the media.  Of interest, the University Medical Center of Southern Nevada breach that was reported extensively in the media indicated that 5,103 individuals were affected, which is many more than the 21 face sheets the hospital had  aware of via the media. And of course, although we know that unsecured protected health information was involved, we do not know if any SSN or financial information was involved because although HHS collects that information, it doesn’t share it on its web site.

Two more newly revealed breaches

There are two newly revealed breaches on the HHS/OCR web site that were not previously reported in the media: Laboratory Corporation of America/Dynacare Northwest, Inc. State: Washington Approx. # of Individuals Affected: 5,080 Date of Breach: 2/12/10 Type of Breach: Theft Location of Breached Information: Laptop Lee Memorial Health System State: Florida Approx. # of Individuals Affected: 3,800 Date of Breach: 1/29/10 Type of Breach: Other Location of Breached Information: Paper Records Of the  new additions to the web site,  two had been previously reported in the media.  Of interest, the University Medical Center of Southern Nevada breach that was reported extensively in the media indicated that 5,103 individuals were affected, which is many more than the 21 face sheets the hospital had  aware of via the media.