Updates to HHS's breach tool (updated)
HHS added 13 more incidents to its breach tool today. Six of them have been reportedly previously on this blog:
- Hope Hospice
- IHC Health Services, Inc. dba Intermountain Life Flight. Of note, they reported that that the breach began on October 12, 2009. That’s a long time to go undetected.
- El Centro Regional Medical Center reported that 189,489 patients were affected by their incident.
- Lutheran Social Services of South Central PA
- Arizona Counseling & Treatment Services, LLC reported that 3,800 were affected by their incident.
- Indiana University Health Arnett
The following are incidents reported to HHS not previously covered on this blog:
Public Health – Seattle & King County in Washington reported that 750 individuals were affected by a breach on March 7 involving the improper disposal of paper records. I was able to track down a notice on their web site that indicated that a substitute custodian employed by the building owner at Downtown Public Health Center disposed of some clients’ protected health information in a way that did not follow proper procedure. Although the agency does not believe anyone saw or obtained the papers, they contained the patients’ names, dates of birth, medical condition or treatment, phone number, medical record number, appointment date, and address.
Orthopedics & Adult Reconstructive Surgery in Texas reported that their business associate, AssuranceMD (formerly known as Harbor Group) lost a portable electronic device sometime during the first half of March. The device contained information on 22,000 patients.
Curiously, in researching the report, I came across a fragment of a May 6, 2013 classified notice. All that remains of it is:
If you have been a patient of Andrew F. Brooker, M.D. and/or Orthopedics & Adult Reconstructive Surgery you are hereby notified that a HIPAA violation may have occurred in Philadelphia, Pennsylvania when the medical records on hard drive were being converted to an electronic medical record system pursuant to recent statutory regulations. If you have any questions or concerns please feel free to c…
Whether that notice is in any way connected to the breach report to HHS, well, I have no idea. I can find no substitute notice on AssuranceMD’s web site, and can’t even find a web site for Orthopedics & Adult Reconstructive Surgery in Texas. This is where, again, it would be very helpful if HHS posted breach reports publicly like a number of states do.[UPDATE OF AUG. 1: On July 30, Greg Cutrona of AssuranceMD sent an e-mail to PHIprivacy.net claiming that the information in this blog post relating to AssuranceMD was “inaccurate and untrue.” I asked him to be specific as to how it was allegedly inaccurate, but he declined, citing a confidentiality clause in his contract. Since the HHS report indicates that AssuranceMD was named by Orthopedics & Adult Reconstructive Surgery as the business associate involved in the loss of a portable electronic device with PHI on 22,000 individuals, PHIprivacy.net declined to simply remove the blog post, but we note that AssuranceMD disputes it. We have encouraged them to get Orthopedics & Adult Reconstructive Surgery and/or HHS to issue a correction to their report if one is needed.]
Delta Dental of Pennsylvania reported that their business associate, ZDI, suffered a breach involving the loss of paper records for 14,829 patients. The breach occurred on March 20. I was unable to find any notice on Delta Dental’s web site, and was unable to find any site for ZDI. An email sent to Delta Dental received no response as of the time of this posting. (See update on this breach here).
Valley Mental Health of Utah reported that 700 patients had information on a stolen computer. The theft occurred on February 27, and I can find no statement on their web site or substitute notice anywhere.
Wood County Hospital in Ohio reported that 2,500 patients’ information was stolen on March 19. I was able to track down a news media report on the incident, which involved the theft of x-rays, presumably for their silver value. The films contained patients’ names, medical record numbers, dates of exam, and in some cases, date of birth.
The Guidance Center of Westchester, NY reported that 1,416 patients were notified after the theft of a computer on February 21. There was a notice on their web site dated April 24, but it is no longer available. It is, however, available via Google cache:
The Guidance Center of Westchester, Inc. is notifying clients of a breach of their personal information after discovering that the following has occurred:
On February 22, 2013, the Center discovered that a central processing unit (CPU) had been removed from a staff member’s office at its 70 Grand Street, New Rochelle, New York location. The Center immediately conducted a preliminary investigation into the incident and determined that the CPU was taken on February 21, 2013. The Center notified local law enforcement and filed a police report. The New Rochelle Police Department is currently investigating the incident.
The Secretary of the Department of Health and Human Services, New York State Attorney General’s Office, New York State Office of Cyber Security, and New York State Department of State Division of Consumer Protection have all been notified in accordance with the law.
The breach involves the records of 1,416 past and present clients of the Center. It has been determined that the following categories of personal information were contained on the missing CPU: (i) names, (ii) date of birth, (iii) date of admittance to the Center, (iv) name of insurance carriers, (v) home address, (vi) diagnosis, (vii) outpatient treatment authorization request, (viii) social security number, (ix) doctors’ names, (x) a notation of whether medication was prescribed (but not a description of the medication), and (xi) case number.
The Center has taken numerous steps to locate the missing CPU and further investigate the circumstances surrounding its removal. A forensic security analysis of the accessibility of the personal information contained on the CPU has been performed. As a result of that expert analysis, the Center believes that the risk of access to the personal information at issue is low. However, enhanced security measures are being implemented facility-wide, including encrypting all laptop and desktop computers and retraining its staff, to improve security and minimize any future risk.
In an effort to mitigate against the risk of identity theft and fraud, the Center is offering to pay for identity theft protection services for one year for each affected client who requests this service. In addition, each affected client has been provided with printed materials designed to aid in further protection against identify theft and fraud, including contact information for the Federal Trade Commission and credit reporting agencies where they can place a fraud alert on their consumer reports. [A copy of this aid is available upon request.]
“The safety and well-being of our clients is and has always been our primary concern,” said Amy Gelles, the Center’s Executive Director. “We regret that this incident has occurred, but we are moving swiftly to reassure our clients that everything possible is being done to protect them now and in the future.”
Those affected have been directed to contact specially trained personnel assigned to assist them. Concerned clients may also contact Bart Worden, Deputy Director, toll-free, at 800-319-9659, between the hours of 9:00 a.m. and 5:00 p.m., Monday to Friday, or by email 24 hours a day at: [email protected], or may send their concerns by mail to: The Guidance Center of Westchester, Inc., 256 Washington Street, Mt. Vernon, NY 10553.
The Guidance Center of Westchester is an innovative multi-service, community-based nonprofit organization which serves more than 5,000 people in Westchester County each year. For more information, visit: www.theguidancecenter.org.
Stronghold Counseling Services Inc. of South Dakota reported that 8,500 patients had information on a computer stolen on December 24, 2012. I was unable to find any additional sources on this incident. I’ve sent an email to them asking for more details.
Update of April 19, 2015: Because Assurance MD challenged the accuracy of this site’s report of their role in a reported breach by Orthopedics & Adult Reconstructive Surgery (see above), I thought I would add HHS’s closing summary on the incident:
An unsecured hard drive containing the electronic protected health information (ePHI) of up to 22,000 individuals was lost in transit between Dr. Andrew F. Brookers’ business associate, AssuranceMD, and a subcontracted electronic medical records storage company. The ePHI involved in the breach included patients’ names, diagnoses/conditions, lab results, other clinical information and for some patients, addresses, dates of birth and/or social security numbers. Dr. Brooker provided breach notification to HHS and affected individuals. Following the breach he updated his HIPAA policies and procedures. OCR obtained assurances that the corrective action steps listed above were completed. Prior to completion of additional corrective actions, Dr. Brooker notified OCR that he had sold his private practice.
I note that under HHS’s revised breach tool system which lists business associates in the “covered entity” column, this incident is now listed under “AssuranceMD f/k/a Harbor Group” and instead of listing “loss” of a device as it had previously done, the log entry now indicates “theft,” which doesn’t seem to match their narrative. Even more confusing, if you were to now search HHS’s breach tool for “Orthopedics & Adult Reconstructive Surgery,” you wouldn’t find them listed at all.