Protected health information (PHI) is still going astray. Here are November’s HIPAA violations and PHI data breaches.
Dean Health Plan – 960 members
Wisconsin-based Dean Health Plan has reported that up to 960 members’ PHI may have been affected by a data breach when documents mailed by a third-party vendor were lost in the postal system. The PHI “was limited to the member’s name, member number and procedure codes, dates of service, and did not contain any other identifying protected health information or financial information such as social security or credit card information.” The USPS returned a number of damaged documents to Dean Health Plan. Individual members impacted by the incident are being informed.
Dean Health Plan’s notification notice can be found here >>
OH Muhlenberg, LLC – 84,681
OH Muhlenberg, LLC was notified by the FBI of “suspicious third party activity on the Hospital’s computer network”. It was discovered that keylogging malware had infected a number of computers, and “some individuals’ information including: name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information, financial account number, payment card information and employment-related information could have been affected.”
Muhlenberg’s breach notice can be found here >>
A list of FAQs can be found here >>
UC Health, LLC – 1,064 patients
The University of Cincinnati Health Center has notified 1,064 patients that “on nine occasions dating back to August 2014, emails containing protected health information that were intended to be sent internally within UC Health were inadvertently sent to an incorrect email address at a domain similar to UC Health’s authorized domain.” Potentially compromised information “included, but was not limited to, patient names, birth dates, medical record numbers, dates of service, physician names, and diagnosis information.”
A press release about the incident can be read here >>
BeHealthy Medicare Advantage Plan – 835 members
BeHealthy Florida, Inc. mailed benefit information packages to 835 members in Manatee and Sarasota counties “using envelopes that inadvertently listed their individual health insurance claim number, or HICN, on the outside of the envelopes. The HICN is a Medicare beneficiary’s identification number and it typically contains the beneficiary’s social security”.
BeHealthy’s data breach notice can be read here >>
Children’s Medical Clinics of East Texas – potentially 16,000 patients
A former employee of Children’s Medical Clinics of East Texas took “business documents home from the office and did not return them”, and “improperly accessed patient information by logging into patient records and providing a screenshot of patient records to […] a disgruntled ex-employee”. 16,000 patients were potentially affected.
A letter from Children’s Medical Clinics’ attorney can be read here >>
North Carolina DHHS – 524 patients
On September 14, an employee of the North Carolina Department of Health and Human Services “sent an unencrypted email to the Orange County and Ashe County health directors [containing] a spreadsheet with 524 individuals’ first name, last name, Medicaid recipient ID number, Social Security number, date of birth, address, gender, ethnicity, race, insurance information and provider name.”
A news release about the incident can be read here >>
This isn’t the first time this has happened: Only last month, North Carolina DHHS informed 1,615 patients that an employee had “inadvertently sent an email to the Granville County Health Department without first encrypting it. Attached to the email was a spreadsheet containing information relating to individual Medicaid recipients. The information in the email included the individual’s first and last name, Medicaid identification number (MID), provider name and provider ID number, and other information related to Medicaid services.”
The same mistake having been made twice, North Carolina DHSS has now “installed additional software for all its employees that will intercept emails such as this and block these types of emails from being sent unencrypted. The software will alert the sender to encrypt an email if it contains social security numbers – in the body of email text, or in attachments – and won’t allow that email to be sent until it is encrypted.”
Quest Diagnostics – “hundreds”
NBC 4 New York reports that a Brooklyn marketing company, APS Marketing Group, “was inundated for months by hundreds of private medical documents meant for Quest Diagnostics”. Faxes – which “were all medical papers, with sensitive information, including name, date of birth, phone numbers, and sometimes social security numbers for patients” – were mistakenly sent to the marketing company from numerous medical offices in the New York metropolitan area. Quest Diagnostics is facing a class-action lawsuit according to this press release >>
Arthur Brisbane Child Treatment Center – unknown number of records
A former children’s psychiatric facility, the Arthur Brisbane Child Treatment Center in Farmingdale, NJ, has been used to store medical records since it closed in 2005. According to app.com, the facility contained “piles of cardboard boxes”, which held “personal information such as Social Security numbers, medical history and banking information” pertaining to state employees and Brisbane patients. According to a former employee, the “doors to at least one building at the Route 524 complex were left wide open on multiple occasions”, leaving the information easily accessible to all. The state Department of Children and Families has now removed the boxes of documents to a secure location, and has launched an investigation.
Dr Mary Ruth Buchness – approximately 15,000 patients
NBC 4 New York reports that a spreadsheet containing “nearly 15,000 names and corresponding addresses, appointment dates and Social Security numbers” was inadvertently emailed from the office of New York dermatologist Dr Mary Ruth Buchness to an unknown number of recipients, apparently instead of a coupon. The doctor’s office is investigating.
Pathways Professional Counseling – unknown number
A password-protected laptop was stolen from the vehicle of a Pathways Professional Counseling employee on September 24. The security of some personal information and PHI was affected, including “an individual’s name combined with one or more of the following data elements: Social Security number, date of birth, address, treating physician name, diagnosis and clinical information, phone number, email address, demographic information, financial information, health insurance information, treatment information, and medication information.”
Pathways’ notice can be read here >>
Centegra Health System – 2,929 patients
The Northwest Herald reports that “a mailroom error” at MedAssets, a third-party contractor of Centegra, resulted in the personal information of some 3,000 Centegra Health System patients being sent to the wrong addresses. Information included “a patient’s name, address, account number, original account balance, third-party payment, billing discounts and adjustments, and the amount owed. Hospital service dates, a summary of services provided and related charges also were included”.
Cottage Health System – 11,000 patients
Cottage Health System has notified 11,000 patients that their PHI was compromised by a server incident in late October. “The information involved included names, addresses, social security numbers and limited medical information such as diagnosis and procedure. There is no evidence that driver’s license numbers or financial information was compromised.”
Cottage Health’s “Notification on Data Disclosure” can be read here >>
Cottage Health was also in the news in May when its insurers, Columbia Casualty Company, filed a complaint seeking reimbursement for a payout it made to cover losses relating to another data breach, caused, it claimed, by Cottage Health’s poor cybersecurity. The complaint was dismissed in July because Columbia Casualty Company didn’t follow its own alternative dispute resolution (ADR) process, as set out in the policy.
The following are listed on HSS’s OCR Portal as having admitted to data breaches, but no further information is available as of the time of writing.
- Rush University Medical Center – 1,529 patients – unauthorized access/disclosure
(Although there doesn’t appear to be any further information available about this incident, I did find this article from April about how Rush’s cybersecurity helps it stay HIPAA-compliant. Hubris.)
- Good Care Pediatric, LLP – 2,300 patients – hacking incident
- HealthPoint – 1300 patients – laptop theft
- Midlands Orthopaedics, PA – 3,902 patients – hacking incident
- Alaska Orthopedic Specialists, Inc. – 553 patients – email theft
- Cigna Home Delivery Pharmacy – 592 patients – unauthorized access/disclosure
- Carolyn B Lyde, MD, PA – 1,500 patients – laptop theft
- Peace Health – 1,407 patients – unauthorized access/disclosure
The Health Insurance Portability and Accountability Act (HIPAA)
Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of protected health information (PHI) by covered entities. HIPAA covered entities that are concerned about data security would do well to implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.