Health Care Data Breach Watch: June 2015

OPM cyber attack linked to Anthem and Premera health care breachesAnother month, another batch of health care data breaches and HIPAA violations…

Halfway through the year, we’ve passed 100 incidents and seen nearly 125 million records affected.

Meritus Medical Center – 1,029 patients

The Meritus Medical Center (MMC) in Hagerstown, Maryland, has notified 1,029 patients that their personal data could have been accessed by a third-party vendor’s employee. This data includes “names, demographic information (such as date of birth, age, gender, medical record number and, in some instances, health insurance information), and clinical information (such as treatment and/or diagnosis information)”, and, in some instances, Social Security numbers. There is no evidence that any of the information was used inappropriately.

Meritus Health’s letter to patients can be read here >>

Penn State Hershey Medical Center – 1,801 patients

Penn State Milton S. Hershey Medical Center has notified 1,801 patients that their personal data “had the potential to be accessed by individuals not involved in their care” when an employee with permission to access their information took his work home and used devices – a flash drive and his home computer – outside the health center’s secure network. There is no evidence that any of the information was used inappropriately.

A press release from Penn State Hershey detailing the incident can be read here >>

University of California Irvine Medical Center – 4,859 patients

UC Irvine Health has admitted a four-year HIPAA breach. Between June 2011 and March 2015, a medical center employee accessed nearly 5,000 patient records without authorization. According to a statement:

“As far as it is possible to determine, the employee did not access or electronically distribute Social Security numbers, driver’s licenses or state ID card numbers, or credit or debit card information.

“However, the employee may have viewed some protected health information of our patients including names, dates of birth, gender, medical record numbers, height, weight, medical center account numbers, allergy information, home address, medical documentation, diagnoses, test orders and results, medications, employment status, and the names of patient’s health plans and employers.”

Those affected have been notified, and a press release from UC Irvine Health detailing the incident can be read here >>

Community Health Centers, Florida – 94 patients

Channel 9 News reports that a Community Health Centers hospital in Florida has written to 94 patients, notifying them of a data breach affecting their personal data. A former employee of the hospital inappropriately accessed patient records, including full names, Social Security Numbers, dates of birth, and annual incomes.

Texas Department of Aging and Disability Services (DADS) – 6,600 patients

The Texas Department of Aging and Disability Services (DADS) has notified 6,600 patients that their personal data – including “names, residences, mailing addresses, dates of birth, Social Security and Medicaid numbers, as well as medical diagnoses or treatment information” – was mistakenly exposed over the Internet by a web application intended for internal use only. The Statesman reports that the data was public for eight years. According to DADS, there is “no reason to believe any of the information has been misused.”

A press release from DADS detailing the incident can be read here >>

Medical Informatics Engineering (MIE) – undisclosed number

Medical Informatics Engineering (MIE), a software provider for the health care industry, has admitted to “a data security compromise that has affected the security of some protected health information” relating to some of its clients’ patients. Those clients include:

  • Concentra
  • Fort Wayne Neurological Center
  • Franciscan St. Francis Health Indianapolis
  • Gynecology Center, Inc. Fort Wayne
  • Rochester Medical Group

Affected information includes “the patient’s name, mailing address, email address, date of birth, and for some patients a Social Security number, lab results, dictated reports, and medical conditions. No financial or credit card information has been compromised, as we do not collect or store this information.” MIE has begun notifying affected patients.

A security notice from MIE detailing the incident can be read here >>

MIE’s subsidiary NoMoreClipboard was also affected. A security notice from NoMoreClipboard can be found here >>

Blue Shield of California (BSoC) – 843 patients

Blue Shield of California (BSoC) has notified 843 patients that their personal data was inadvertently shared with other patients as a result of a computer coding error. Patients were told that affected information included “first and last name, Social Security Number, Blue Shield identification number, date of birth, and home address. None of your financial information was made available as a result of this incident. The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization.”

A copy of the letter BSoC sent to affected patients can be read here >>

Success 4 Kids & Families (S4KF) – 506 patients

A password-protected laptop containing “limited protected health Information” relating to 506 Success 4 Kids & Families (S4KF) clients was stolen from an S4KF employee’s vehicle on April 5, 2015. An investigation is now underway. The Florida-based organization says:

“While the investigation is ongoing, S4KF has determined that files stored on the laptop may have contained clients’ names, addresses, dates of birth, Social Security numbers, or other limited treatment-related information.

“Although the treatment-related information varies by person, examples include dates of service, types of service, gender, age, or the name of their insurance provider.  The laptop did not contain client medical health records, which were not stored on the laptop.”

A press release from S4KF detailing the incident can be read here >>

Metropolitan Hospital Center, NY – 3,957 patients

The Metropolitan Hospital Center in New York has informed 3,957 patients of “an incident that resulted in the possible unauthorized disclosure of [their] protected health information (PHI), including such information as [their] name, medical record number, medical diagnosis, physician’s name, and limited sensitive medical information.” An employee emailed the information without authorization – the third such incident to affect a New York City Health and Hospitals Corporation hospital this year, following similar incidents at the Jacobi Medical Center and the Bellevue Hospital Center last month.

A copy of the letter MHC sent to affected patients can be read here >>

My Fast Lab/Crown Point Medical Tests – 167 patients

My Fast Lab, a now defunct discount medical testing company owned by Crown Point Medical Tests, failed to securely dispose of files containing the personal data of 167 individuals. According to, the records – which included copies of Social Security cards, driver’s licenses, and health insurance cards, as well as names, addresses, phone numbers, blood types, and credit card numbers with expiration dates and security codes – were found in a dumpster by an employee of a nearby pizza restaurant, who tipped off the media.

Richmond Radiology – unknown number

In another case of improperly discarded records, a Richmond, Kentucky, resident discovered 65 boxes of medical records in a dumpster outside a storage facility. He told WTVQ that the thousands of documents – including names, Social Security numbers, birthdates, Medicare information and credit card information – belonged to Richmond Radiology, a company that closed over a decade ago. The information languished in AAA Rent-A-Space since being abandoned by the customer in July 2011, until it was disposed of by an employee who seemingly didn’t realize what they were throwing away.

US HealthWorks – undisclosed number

In another case of a password-protected but unencrypted laptop being stolen from a vehicle, US HealthWorks has reported a data breach affecting the personal information – including “name, address, date of birth, job title, and Social Security number” – of an undisclosed number of individuals. The laptop has not been recovered.

A copy of the letter US HealthWorks sent to affected patients can be found here >>

The Health Insurance Portability and Accountability Act (HIPAA)

Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.

ISO 27001

Vormetric study found that “26 percent of healthcare respondents reported that their organization had previously experienced a data breach”, and a recent Ponemon Institute report found that criminal attacks are the most common cause of health care data breaches. “Criminal attacks on healthcare organizations are up 125% compared to five years ago”, Ponemon notes, and “45% of [breached] healthcare organizations say the root cause of the data breach was a criminal attack”.

HIPAA covered entities that are concerned about data security should implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.

By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.

It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.

Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.

Click for more information >>

ISO 27001 Packaged Solutions