Recent updates to HHS's public breach tool
There’s an update to the breach involving an office burglary at Dr. Vonica Chau ‘s office in Arlington, Texas: when the breach was added to HHS’s public breach tool, it was reported as affecting 810 patients.
The American Family Care breach was also added to HHA’s public breach tool this week. The entry shows the laptop theft occurred on July 18 and affected 2,588 patients.
Two other breaches (neither of which have been previously reported on this blog) were also added to the public breach tool this week. The first, involving Oklahoma City Indian Clinic, reportedly affected ,6000 patients. A notice linked from the clinic’s home page explains the e-mail attachment gaffe that resulted in the breach:
OKLAHOMA CITY – Oklahoma City Indian Clinic recently notified 6,044 patients that their names, email addresses and clinic-specific patient numbers were compromised after the following event: On July 28, 2014, an email was sent from the clinic to 360 patients advertising an upcoming adolescent health fair. A spreadsheet containing names, email addresses and clinic-specific patient numbers of 6,044 clinic patients was inadvertently attached to the email. The sender forwarded a message and failed to remove the attachment, which was used as a worksheet to determine the recipients of the email. The patient number is used for internal clinic purposes and is not the patient’s social security number. The clinic became aware of the incident, and a recall message was sent the same day. The clinic also sent an email to the recipients notifying them that the spreadsheet was not intended for them and requesting that they delete it. A notification letter was sent to all patients whose names were on the spreadsheet on Aug. 18. “Oklahoma City Indian Clinic understands the importance of safeguarding our patients’ personal information and regret that this incident occurred,” said Lysa Ross, COO of OKCIC. “We have notified our patients of the breach and are taking steps to prevent this from happening again. We encourage patients to call with any questions or concerns.” The type of information that was released would not create potential for identity theft. However, patients may receive unwanted emails and should monitor their email accounts. Patients may call toll free 1-844-MYOKCIC Monday – Friday between the hours of 8 a.m. and 5 p.m. with any questions.
The second new entry involves Compassionate Care Hospice of Central Louisiana, whose July 30th breach reportedly involved 707 patients. A notice on the CCH’s web site explains:
HIPAA Breach Notification
On July 30, 2014, there was a break-in and theft at Compassionate Care Hospice of Central Louisiana’s office located at 5417 Jackson Street, Suite B, in Alexandria, LA. Compassionate Care Hospice immediately reported the incident to local police. On or about September 22, 2013 (sic), Compassionate Care Hospice mailed correspondence to each affected individual or next of kin notifying them of the incident. The letter contains instructions for you to follow in the event that you or your loved one has been affected by this incident.
The theft included some laptop computers that were secured by a password and an external hard drive. The laptops were remotely wiped by our IT team on or about July 31, 2014. The information of the laptops included either the patient’s first and last name only or the patient’s first and last name, patient number, age, admission date, discharge date (if applicable), length of stay, location (i.e., home, hospital or skilled nursing facility) medication class (if applicable), and disposition (i.e., revocation, transfer, etc.).
If you do not receive our letter, please contact our program office at (318) 487-9400 or our toll free compliance hotline at (800) 234-8147. For more information, please click here.