Unencrypted laptops still a major cause of breach reports to HHS

Here’s a run-down of the 29 breaches HHS added to its breach tool today,  organized by those we already knew about vs. ones that we didn’t know about. With today’s additions, the breach counter on HHS for breaches affecting over 500 patients stands at 711 since September 23, 2009 when HITECH reporting requirements went into effect.  In the newest additions, approximately half of the incidents involved laptop or computer theft, and almost one fourth involved an intentional insider breach.

Breaches previously reported on this blog, updated to include numbers reported to HHS if not previously disclosed:

  • Saint Louis University notified HHS of their email breach.
  • AHMC Healthcare Inc. and affiliated Hospitals notified HHS of laptop thefts, previously reported here and here.
  • ICS Collection Service, Inc. on behalf of University of Chicago Physicians Group reported that 1,290 patients were affected by the exposure breach previously reported here.
  • Memorial Hospital of Lafayette County named the vendor involved in its mailing error breach as Healthcare Management System. The number affected was reported to HHS as 4,330, although their public statement said 6,000.
  • SSM Health Care of Wisconsin  dba St. Mary’s Janesville Hospital notified HHS of the laptop stolen from an employee’s car.
  • Carol L. Patrick, Ph.D notified HHS that 517 patients had PHI on computers stolen during an office burglary.
  • Seton Healthcare Family notified HHS of the incident involving a stolen laptop.
  • Sentara Healthcare notified HHS of the insider breach reported here.
  •  Reconstructive Orthopaedic Associates dba Rothman Institute notified HHS that 2,350 patients were affected by the employee theft of daily patient schedules.
  • Hospice of the Chesapeake reported that 7,035 patients were affected by an employee e-mailing spreadsheets with their information to a home account that may have been hacked. The hospice’s statement at the time mentioned 500 patients.
  • TSYS Employee Health Plan reported that 5,232 were affected by this insider breach. They do not seem to have named the business associate responsible, but that’s in previous coverage of this incident.
  • CaroMont Medical Group reported that their incident involving unsecured e-mail affected 1,310.
  • Broward Health Medical Center notified HHS of this insider breach after law enforcement uncovered the data theft.
  • HOPE Family Health reported that 6,932 patients had PHI on the laptop stolen from a home.
  •  University of California,- San Francisco reported this laptop theft.
  • Santa Clara Valley Medical Center reported that 579 patients had PHI on a stolen laptop.
  • Holy Cross Hospital reported this insider breach
  • North Country Hospital and Health Center reported that 550 patients had PHI on a laptop a former employee declined to return to them (they report it as theft).
  • Hankyu Chung, M.D reported that 2,182 patients had PHI on a laptop stolen in an office burglary.

Breaches reported to HHS not previously noted on this blog:

1. Good Samaritan Hospital in California notified 3,833 pacemaker patients about a laptop stolen on July 8. A statement linked from their homepage reads, in part:

On July 8, 2013, we learned that a laptop computer containing information about pacemaker readings was missing. Initially we had understood the information was not linked to any patient identifying information, but on September 23, 2013, we learned that the laptop also had data files that could be linked to the pacemaker readings that included patient identifying information. We learned that the missing laptop included patient names, birth dates, addresses, telephone numbers, and health insurance company names. The data files also included patient diagnoses and treatment information related to patients’ cardiology conditions pertinent to their pacemakers. Social Security numbers of five patients were also included. The information on the computer was protected by a password and was stored in separate files that make it more difficult to access. The laptop did not, however, have the extra protection of encryption, which scrambles the information on the computer unless you are an authorized user. No financial information was involved.

This incident did not affect all Good Samaritan Hospital patients, only some of the Hospital’s patients who had pacemakers checked from 1996 through July 2013.

2. Texas Health Presbyterian Dallas Hospital reported that 949 patients had PHI on a computer stolen on August 22. It took some searching, but I did locate a statement on their web site that says, in part:

On August 23, 2013, Texas Health Dallas learned that the treatment planning computer was missing from the Gamma Knife department. The theft was immediately reported to the Dallas Police Department – Report Number 216375-A. The security cameras were reviewed and we were able to determine that the theft occurred on or about 6 p.m. on August 22, 2013. A copy of the video showing the perpetrator was provided to the Dallas Police Department.  We continue to work toward identification of the perpetrator and have strengthened our security procedures.

The computer was password-protected. It would be difficult to access the information without the password. The information on the computer included the following: name, date of birth, age, gender, radiology images, radiation therapy dose planning, treating diagnosis and the medical record number assigned by the hospital. We have no knowledge that any of the information included on the computer has been accessed or used inappropriately. However, we do urge you to contact law enforcement immediately if you notice any unusual activity related to any of your personal accounts. If you would like for us to flag your records for possible identity theft, we will be happy to do so.

3. Ferris State University – Michigan College of Optometry notified HHS  about a malware breach affecting 3,947 that occurred in December 2011.  Interestingly, I had recently noted a Ferris State U. breach over on DataBreaches.net, but those reports had not indicated that any patient data were involved. I was able to locate a later notice on the College of Optometry’s site that suggests that their report was, indeed, part of the same situation reported on DataBreaches.net. Neither the prior notice nor this one tells recipients that the malware resided on the server since December 2011:

On July 23, 2013, we learned that an unauthorized person evaded our network security and placed a malware program on the computer we use to operate our website. That program had the technical ability to access electronic files on certain servers across part of our network. We immediately shut down the web server and hired a leading national computer forensic firm to help us investigate the incident and block any further unauthorized access.

The investigation did not find any evidence that the unauthorized person actually viewed or removed any information from any system. However, because we cannot conclusively rule out the possibility that electronic files were accessed, we wanted to make everyone whose sensitive personal information was stored in a place that was technically accessible aware of this incident. This information may include patient names and information about treatment received at the Michigan College of Optometry. Information that may have been affected included patient names, Social Security numbers, demographic information (for example, addresses, dates of birth and phone numbers), and limited clinical information (for example, account numbers, health insurance information, diagnoses, diagnostic codes, procedure and treating doctors).

We want to assure you that we are committed to the security of patient information and are taking this matter seriously. While we have no reason to believe that any information has been used improperly, we began sending letters to affected patients on Sept. 24, 2013.

4. Comprehensive Podiatry LLC in Ohio reported that 1,360 patients had PHI on a laptop stolen on August 3. There is no statement on their web site as of the time of this posting, and I can find no past media reports or substitute notice via a search of Google.

5. Access Counseling, LLC in Indiana reported that 566 patients had PHI on a laptop stolen on August 23.  I was able to locate an undated statement on their web site, linked from their home page:

Notice to current or past clients of Access Counseling, LLC or Brumbaugh and Associates.

In accordance with 45 CFR Parts 160 and 164, this is to notify you of a recent occurrence that resulted in a breach of protected health information.

Description of what happened:  On the morning of August 23, 2013, it was discovered that my rolling briefcase, containing my laptop business computer, books, and seven case files had been stolen from my personal vehicle.  My vehicle was on private property at the time.   The police are actively investigating this case.

Date of breach:  Between 11:30 pm of August 22, 2013 and 7:30 am of August 23, 2013.                       Date of discovery:  August 23, 2013

Description of the types of unsecured protected health information (PHI) that were involved:  The case contained the computer, books and the case files of seven individual clients.  Those seven clients will receive a separate, notification to advise them of their specific breach.  The computer files contained all clients’ clinical and personal information including, name, address, date of birth, partial social security number and all clinical notes.  The computer was password protected, however, your information may be at risk.

Steps you should take to protect yourself from potential harm resulting from this incident:  It is important that you be vigilant of any bills for services you have not received and any other potential risks to your financial or personal information.

Please know that we are doing everything we can to investigate this breach, to protect you in any way we can, to mitigate any harm to you, and to protect against any further breaches of information.  If at any point you discover that your information has been used inappropriately, please notify us and we will work with you to make sure the proper authorities are involved warranted by the situation.

If you have any questions about this incident, please contact Ron Masters in Bloomington, IN, at 812-335-8555 or in Columbus, IN, at 812-342-2860.

I apologize for any incovenience caused by this incident.

Sincerely,

Ron Masters, LCSW

Access Counseling, LLC

6. BriovaRx in Illinois reported that 1,067 patients had PHI involved in a breach that occurred between July 3 and July 11 of this year. Although I could not find any statement on their web site, I was able to find a news story on Law360.com from October that the firm had sued a former employee for stealing trade secrets and confidential health information. The suit alleges that the employee took the information with him to a competitor.

7. Region Ten Community Services Board in Virginia reported that 10,228 patients were notified of an e-mail hacking incident on July 29 that sounds like employees may have been phished. A notice linked from their home page (with a hidden field date of September 26 ) says, in part:

On July 29, 2013, a hacker obtained the passwords to several Region Ten Community Services Board employees’ email accounts. It is unknown what, if any, protected health information was contained in the email accounts involved, and Region Ten is not aware that any protected health information was accessed or used by unauthorized individuals.

Region Ten became aware of this incident on July 30, 2013. We immediately responded by closing access to all employee email accounts and requiring all employees to change their email passwords. We also initiated an investigation in conjunction with our information technology consultants in order to gather more information about the incident. The investigation is ongoing.

In order to reduce or eliminate the potential harm to our consumers resulting from this incident, and to prevent an incident like this from happening in the future, we have implemented additional email security measures, provided additional training to our employees regarding email security, and revised several of our administrative policies and procedures.

Although Region Ten is not aware of any misuse of protected health information, we recommend that our consumers remain vigilant, continue to monitor their health-related and financial account statements, and contact law enforcement if they find suspicious activity.

8. Schuylkill Health System reported that 2,810 patients had PHI on a laptop stolen on August 7. PHIprivacy.net has emailed Schuylkill to request additional information as an online search failed to find any notice or coverage.  This entry will be updated when a response is received.

9. Sarah Benjamin, DPM – Littleton Podiatry in Colorado reported that 3,512 patients had PHI on a laptop stolen on August 27.  PHIprivacy.net has emailed Dr. Benjamin as there was no notice on their web site nor anything I could locate via a Google search. This entry will be updated when a response is received.

10. Sierra View District Hospital in California reported that 1,009 patients had PHI involved in an insider breach that occurred between July 1 and August 2.  Although there was no notice on their site today when I checked, I was able to locate some media coverage in the Foothills Sun-Gazette on October 16 that reports, in part, that the hospital detected the breach on its own and contained it:

During a routine security audit of patient records and information, Sierra View District Hospital determined that a hospital employee inappropriately accessed protected health information (PHI). As a result, the hospital immediately conducted an investigation to determine the extent to which information was accessed.

The investigation concluded that the access to information was contained internally and was not disclosed externally. Furthermore, it was determined that no financial information was inappropriately accessed.

Pursuant to California Health and Safety Code § 1280.15, the hospital contacted each affected patient regarding the breach and have proactively responded to questions and concerns. The hospital has also taken necessary measures to regain and maintain security of patient health information to prevent such instances from occurring in the future.

 

About the author: Dissent