Two HIPAA breaches involving Mid America Health that flew under the media radar
Back on January 3, I blogged about three breach reports I had stumbled across in December. One of them involved an undated substitute notice from Mid America Health concerning a stolen laptop. I had e-mailed Mid America Health in December to ask when the breach had occurred and for more details, but they did not respond to my inquiry and the breach did not appear on HHS’s breach tool. Their substitute notice had indicated that the breach had been reported to the Maryland Attorney General’s Office, however, and when inspection of Maryland’s breach report site failed to uncover any such notice between 2008 and August 30, 2012 (the last time their site was updated), I filed a freedom of information request with the Maryland Attorney General’s Office to request a copy of the notification.
The state subsequently sent me a report dated February 18, 2013, but the February 18, 2013 report did not involve a laptop theft. Confused, I e-mailed Mid America Health again, to ask for clarification or whether there had been two breaches. I also contacted the Maryland Attorney General’s Office to ask them about the apparent discrepancy between the substitute notice and the report filed. The state followed up by contacting Mid America Health, who – while again not responding to my inquiry – did reply to the state that there had been a previous incident in April 2012 involving a laptop theft. That incident had been reported to the state via e-mail in June 2012. The text of the June 6 e-mail, provided to me by the state, was as follows:
Office of the Attorney General
Attn: Security Breach Notification
200 St. Paul Place
Baltimore, MD 21202
On April 6, 2012, Mid America Health, Inc., who is the service management company for PrevMED, discovered a potential breach of the personal information of approximately 1444 Maryland residents. A workforce member, contracted to perform dental assistant services for Mid America Health, Inc., was personally assaulted which subsequently led to the theft of a laptop computer – owned and managed by Mid America Health, Inc. – that was in her possession for the purpose of carrying out her job responsibilities. The information that is stored on this device and can potentially be compromised may include patient names, dates of birth, social security numbers, residential facility names and digital oral x-ray images. At the moment, the impact this breach may cause is still unclear. However, we believe that the risk of harm to the individuals potentially affected is low. Since the breach was the result of a crime where the investigation is ongoing, the Maryland State’s Attorney’s office has asked that we withhold specifics of the case from the public until the investigation has been concluded. (Please see attached correspondence.)
In order to comply with our obligations as a covered entity under Federal law and the requirements outlined under Maryland law, Mid America Health will be making notifications to the following:
1. Secretary, Department of Health & Human Services
2. All individuals potentially affected (approximately 1,444) or their personal representatives
3. All business associates whose relationship to our organization is based on that of the individual
4. A legal notice in several print publications throughout the state of Maryland.
In addition, information will be posted to the company website, www.mahweb.com <http://www.mahweb.com>, as a substitute notice option. A copy of the notice that is being sent to the affected individuals is attached to this message.
To help safeguard all affected individuals from the misuse of any personal information, Mid America Health is offering individuals an opportunity to enroll in a credit monitoring service at no cost. Individuals will be able to accept this offer for up to 90 days from the date of the notification letter.
The credit monitoring will be good for 12 months from the date of enrollment. In order to assist individuals and their representatives with taking the necessary steps to protect themselves against identity theft, we will also have established a dedicated hotline where the Privacy Officer can be reached directly. All questions regarding the breach, concerns about next steps, and requests to enroll in the credit monitoring service can be made by contacting:
We take the protection of personal information seriously and are taking many steps to prevent any similar occurrences in the future. Of the many options we are reviewing to improve on the privacy and security of protected information, we have already begun making adjustments in the following areas:
1. Retraining ALL workforce members on all privacy laws and company privacy policies and procedures;
2. Reviewing and adjusting operations procedures to improve security and maintain privacy;
3. Performing security upgrades and adjustments to all portable devices and electronic records systems used to perform job functions.
Adjustments to workstation security will continue to be made upon review and testing of current operations procedures. Should you have any additional questions regarding this matter, please feel free to contact the undersigned.
Sincerely,[Sign Line] 1499 Windhorst Way, Suite 100
Greenwood, IN 46143
Direct: (317) 452-4367 * Fax: (888) 711-2417
I was able to confirm with the state that they had, indeed, requested MAH not disclose details that might impede the criminal investigation or endanger a state’s witness. I do not know if the state ever lifted that prohibition, but note that this breach still does not appear on HHS’s breach tool, despite the June 2012 e-mail saying it was being reported to HHS and despite the fact that it affected over 500. Because Mid America Health did not respond to a third email I sent asking them to confirm, in part, whether this breach was ever reported to HHS, I e-mailed HHS yesterday to inquire as to whether they ever received this report and/or if there are any conditions under which they do receive a report but do not disclose it publicly. I will update this blog entry when I get a response.
As to Mid America Health’s second breach, described below, do not expect to see it on HHS’s breach tool as that one reportedly affected (only) 18 patients. From their notification to Maryland, on December 20, 2012, a paper file with 18 Maryland residents’ information was stolen from a dental assistant’s car in Baltimore while she was treating residents at the MedStar Good Samaritan Nursing Center:
The compromised information may include the name of the secured nursing facility where the affected individuals reside, as well as the individuals’ names, social security numbers, dates of birth, medical and dental evaluation information, and medical and dental providers’ names and license numbers. The theft was reported to the local police department. At this time, no suspects have been identified and none of the stolen property has been recovered. Please be advised that only 3 of the 18 residents’ social security numbers were stolen, but MAPG is unable to identify which 3 residents were affected.
Those affected were offered free credit monitoring services.
So now we have some answers, thanks to open records law and the Maryland Attorney General’s Office. But it’s times like these when I wonder yet again how many other breaches involving PHI are flying under the radar because Congress opted to not require a centralized publicly available database of breach reports.
Update: I received an email from MAH in response to my last e-mail that stated, in full:
As a conscientious company, we have voluntarily, carefully and meticulously complied with all mandatory and recommended procedures involved with a HIPAA breach. We have also invested much time and effort into dramatically improving our HIPAA-information-safeguard systems and procedures. During this time, we have been dealing with the governmental departments and agencies tasked with enforcing compliance and investigating potential breaches. Please contact these governmental entities for access to public information regarding our activities in this regard.