Taking note that we're in the dark (updated to shine some light)
Aha. It’s not just yours truly complaining about breaches where no information is readily available. One of the breaches I had cited as an example involved Upper Valley Medical Center. Citing the entry on HHS’s breach tool, I had written:
Upper Valley Medical Center,OH,,”15,000?,10/01/2010-03/21/2012,Unauthorized Access/Disclosure,Other,7/3/2012,,
The breach went on for over one year? There doesn’t seem to be any media coverage of this breach, so I’ emailed UVMC last week to inquire and will update this entry when I get a response.
In researching this entry, though, I discovered that UVMC had a second, and more recent, breach involving a missing hard drive.
UVMC never responded to my request for information.
Now the Dayton Daily News also raises the question as to why they didn’t know about this breach, either. Maybe they’ll be able to get a response from UVMC. Their question, however, suggests that this was not a situation in which they had received a substitute notice to post in the paper.
Because HHS is so under-staffed and backlogged, it will likely be ages before their breach tool is updated to incorporate any real details about the breach, leaving us in the dark until someone gets a response from UVMC or someone who received a breach notice from them shares it.
Update: The Dayton Daily News got some answers from UVMC. Mark Gokavi reports:
An 18-month data breach involving 15,000 patients at Upper Valley Medical Center in Troy allowed unauthorized access to patients’ names, address, hospital account number and balanced owed. No clinical information was accessible.
A legal notice published in area newspapers in late May said that the information may have been accessed through contractor Data Image’s online billing system. Hospital spokeswoman Gail Peterson said customers were informed of the breach in May by a letter from Data Image, which said one patient reported being able to see other patients’ data.[…]
“It wasn’t open to the public,” Data Image general manager Marty Callahan said of the programming error. “There was no breach outside of our walls. That went undetected until a singe patient notified us that they were able to see another invoice or bill. Callahan said he knew of no other instance where Data Image has been involved in a security breach.
So apparently there was a substitute notice, and with some more digging, I found a cached copy of a notice that appeared in the Dayton Daily News on May 24th (it also appeared in other Ohio publications):
Legal Notice: Data Image, on behalf of its customer Upper Valley Medical Center, notified all affected individuals that on March 21, 2012, some of their personal information could have been accessed through Data Image’s online billing system. The information available was limited to name, address, hospital account number and balance owed to the hospital, but no clinical information was accessible. Data Image and its customer Upper Valley Medical Center are taking this incident very seriously. An investigation has been conducted and safeguards have been implemented to prevent the potential for any further disclosures of personal information. Patients with questions may contact Data Image at [email protected] or in the alternative write at: Upper Valley Medical Center Support C/O Data Image 2345 Gratiot Rd SE Newark, OH 43055 15634884 5-24-2012
Unfortunately, that notice suggests that the data might only have been at risk on March 21, when it now appears that it was at risk of disclosure for well over one year. Perhaps they hadn’t figured that out by the time of the publication.