Wentworth-Douglass reports insider breach at business associate, Ambucor (UPDATE5)
First it was Carolina Cardiology Consultants disclosing that 2500 of their patients had been affected by a breach at their business associate, Ambucor. Then it was Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) notifying HHS that 537 of their patients had been affected by Ambucor’s incident. Now it’s Wentworth-Douglass Hospital notifying 775 of their patients of the breach. Fosters reports:
Ambucor discovered recently that thumb drives recovered from one of its former employees contained personal information of thousands of patients nationwide, including 775 WDH patients.
The personal information did not include Social Security numbers or credit card, insurance, Medicaid/Medicare or other financial information.
The personal information may have included patient’s name, date of birth, home address, phone number, medications, race, testing data, patient identification number, medical device information such as the manufacturer, diagnosis, Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s), and the name and address of the practice where the patient was seen.
Read more on Fosters.
A copy of Ambucor’s notification to Lebanon Cardiology’s patients, provided to DataBreaches.net by WellSpan, indicates that the employee misconduct occurred in March, 2016, but Ambucor did not discover it until July, when according to a statement from Greenville Health System, Ambucor, was informed by law enforcement, who gave them the thumb drives with patient information.
In July, when Ambucor reported the incident to HHS, they reported 1,679 patients were affected. So far, we have 3,812 patients for the three entities mentioned in this post, so it’s not clear what the total number really is for this incident. DataBreaches.net has sent an inquiry to Ambucor, and will update this post if more information becomes available.
Update: It seems that 4,500 Main Line Health patients were also notified of the breach earlier this month, although I don’t see any notification on HHS at this time. Main Line also reports that the former employee is currently incarcerated. In addition to Main Line Health, also add the following entities whose patients have also been notified of the Ambucor incident:
Stony Brook Internists, University Faculty Practice Corporation (UFPC), whose notice does not indicate the number of patients, but notes that the employee’s incarceration is on unrelated charges;
Lenox Hill Heart and Vascular Institute, whose notice does not indicate the number of patients;
Pikeville Medical Center, whose notice in June is no longer available online; and
Conemaugh Physician Group Cardiology, whose notice does not indicate the number of patients.
As I come across others, I’ll add them to this post.
Update 2: Add Berkshire Medical Center (Cardiology Services) to the list. All of their 1,745 patients were notified.
Update 3: Add New Mexico Heart Institute, who had 4100 patients to notify.
Update 4: Add Cleveland Clinic Akron General, who are notifying 730 patients.
Ambucor has not responded to the inquiry sent to them asking for a fuller disclosure as to how many patients, total, have been notified of this incident.
Update 5: I was able to locate the Pikeville Medical Center news coverage of the incident. Somewhat surprisingly, it was in their June 3 newsletter and said they had been recently notified. How could that be when Ambucor supposedly didn’t find out about the breach until around July 1 when law enforcement notified them? Perhaps they were notified by law enforcement earlier but did not recover the thumb drives from law enforcement until July?