Three new breaches revealed by HHS/OCR

While I was away, I see that there was another update to HHS’s breach tool web page:

Debra C. Duffy, a dentist in Texas, reported that 4,700 patients were notified of a breach that occurred on August 5 that involved the theft a laptop. I do not see a notice on her web site, so if anyone has additional info, please use the Comments section to add information. [Updated May 22, 2011: Dr. Duffy posted an updated breach notice on her web site in January 2011 that lists all of the data types involved in the breach, including treatment information, graphic images, and Social Security numbers.]

Northridge Hospital Medical Center in California reported that 837 patients were affected by a breach that occurred on October 16 involving the loss of paper records. A notice on their home page says, “Northridge Hospital Medical Center has experienced a security incident involving Medicare and Medi-Cal patient information. If you were a patient at our Hospital between September 2004 and June 2006, please visit our Security Alert Page for details.” That notice says, in part:

On October 18, 2010, Northridge Hospital Medical Center discovered that a package sent thru a national courier containing information for 716 Medicare and Medi-Cal patients was damaged in transit, potentially exposing patient information to courier employees. We have no reason to believe that the information left the confines of the courier’s facilities.

Northridge Hospital has sent letters offering credit monitoring services to all Medicare and Medi-Cal patients whose personal/sensitive information may have been exposed. If you were a patient between September 2004 and June 2006 and have not received a letter or have questions, please contact 1-877-906-1590.

The documents may have contained patient names, addresses, phone numbers, social security numbers, guarantor social security number, date of birth, date of death, medical record number, admission and discharge dates, discharge summary, physician, procedure, notes for pregnancy-related emergency, admission, financial account number, provider number, insurance ID, Medicare or Medi-Cal charges billed and paid, hospital room and board charges, Medi-Cal ID number, California Children’s Services Authorization, and Medi-Cal Treatment Authorization.

It’s not clear why the number reported in the notice is discrepant from the one reported to HHS.

Aetna Insurance of Connecticut reported that 2, 345 insured were affected by a breach that occurred in September involving Unauthorized Access/Disclosure. So far, I haven’t found any additional details on this incident, but will keep searching. If you have a copy of the notification, please send it in.

About the author: Dissent