Update to HHS's breach list (update 1)
HHS added 16 breach reports to its public breach tool today, bringing the counter of breaches each affecting 500 or more individuals to 736 since HITECH went into effect September 23, 2009.
As I’ve done in the past, I’ll begin by noting which of the additions we already knew about, annotated if there’s anything new or significant about the report to HHS:
- The Rotech Healthcare Inc breach, reported here affected 10,680 employees and dependents.
- The Genesis Rehabilitation Services breach, reported here, affected 1,167 individuals.
- The United Dynacare, (dba Dynacare Laboratories) breach, reported here, here and here, affected a total of 9,328. I could be wrong, but it looks like Dynacare must have reported the breach to HHS itself, as there’s no mention of Froedtert in the log entry, even though the city of Milwaukee had contracted with Froedtert Community Health/Workforce Health, who, in turn, had contracted with Dynacare.
- The Scottsdale Dermatology breach, reported here, resulted in notification of 1,456 patients after an employee of their business associate, All Source Medical Management, stole patient information. Scottsdale Dermatology reported that the data theft occurred between January 1, 2013 and October 4, 2013.
- The Redwood Memorial Hospital breach, reported here.
- The DaVita breach, reported here, was reported to HHS as affecting 1,500 dialysis patients, even though DaVita’s public notice indicated 11,500 patients had PHI on the laptop.. I’m not sure why the numbers are so discrepant and have e-mailed DaVita to inquire. If I get a response, I’ll update this. [Update 1: that was a typo on HHS’s breach tool; the correct number is 11,500, as DaVita initially reported. Thanks to DaVita for their prompt reply.]
- The LANAP & Implant Center breach reported here and here was reported by David DiGiallorenzo, D.M.D. as occurring on September 17, 2012. That seems incorrect as the torrent was uploaded to a PirateBay site on February 18, 2010. Perhaps Dr. DiGiallorenzo confused date of discovery with date of breach? I’d ask them, but their lawyer has already said they’d have no further comment on the breach. Surprisingly, Dr DiGiallorenzo seems to have reported that (only) 2,600 patients were affected by the breach. Inspection of the torrent reveals that over 11,000 individuals had PII and/or PHI in the database exposed online, so I’m really not sure how they got that number to report. The incident was reported as “Unauthorized Access/Disclosure,Hacking Incident”,”Network Server, Electronic Medical Record,” and hopefully, HHS will confirm whether this really was a hack by a third party.
I’m in the process of researching the other nine breaches added to HHS’s breach tool and will post something about them in separate posts.