HIPAA Business Associate Reports 31K Record Data Breach
Omaha-based Seim Johnson, a business associate of a number of healthcare providers in Nebraska and beyond, has announced that one of its laptop computers was stolen in Nashville, Tennessee, exposing nearly 31,000 healthcare patient records. The laptop computer contained the protected health information (PHI) of 30,972 healthcare patients, 4,200 of whom were patients of Community Hospital in McCook, Nebraska. It is not clear which other healthcare providers were working with Seim Johnson and have been impacted by the data breach. The types of PHI exposed varied from patient to patient, although many had their name, patient identification number, medical record number, or a visit number exposed. In a limited number of cases, Social Security numbers were compromised, although no financial information was stored on the laptop. Patients are in the process of being informed of the privacy breach. If a Social Security number was stored on the laptop, patients will have been specifically informed of this in their breach notification letter. It is company policy at Seim Johnson to encrypt...
OCR to Receive $4 Million Budget Increase to Support Audit Program
The Department of Health and Human Services’ Office for Civil Rights is to receive a budget increase of $4 million in 2017 to support its proposed HIPAA compliance audit program, bringing the department’s annual funding up to $43 million. HIPAA Compliance Audit Program to Receive a Funding Boost The second phase of compliance audits are penciled in to start “in early 2016,” although the start date has yet to be announced. OCR was mandated to conduct HIPAA compliance audits in the Health Information Technology for Economic and Clinical Health Act (HITECH), and while the pilot phase of audits took place in 2011/2012, the second phase has suffered delay after delay. Those delays have been attributed to a lack of funding. The additional $4 million is therefore much needed, especially after the budget freeze in 2016. The purpose of the audits is in part to ensure that covered entities (healthcare providers, healthcare clearinghouses, health insurers, and business associates of covered entities) are complying with HIPAA regulations. The audits will also give OCR insight into the aspects...
Apple Health HIPAA Breach Affects 91K Medicaid Recipients
The protected health information of 91,000 Apple Health Medicaid program clients has been compromised by a Washington State Health Care Authority (HCA) employee over a period of almost 3 years, according to a statement issued by HCA risk manager, Steve Dotson. All affected individuals are in the process of being notified that their name, date of birth, Apple Health ID number, Social Security number, and private health information were improperly disclosed between early 2013 and late 2015. The repeated privacy breaches involved two state department employees who exchanged emails containing the highly sensitive data. A woman working as a medical assistance specialist for the HCA regularly sent spreadsheets containing patient health information and Social Security numbers to her brother, who worked as an Internet technician for the Department of Social and Health Services (DSHS). The unauthorized sharing of patient data is a breach of Health Insurance Portability and Accountability Act rules and warrants the sending of breach notification letters. Those letters were dispatched on...
Oceans Acquisitions Announces Laptop Theft and Data Breach
The theft of a laptop computer from the vehicle of an Oceans Acquisitions employee has resulted in the protected health information of 659 patients from the Abilene region of Texas being exposed. In May 2015, Oceans Acquisitions confirmed that all portable devices, including laptop computers, had sensitive data encrypted. In the event of theft or loss of a device, all PHI stored on that device would be protected. The encryption would prevent any unauthorized individual from being able to access stored data. However, the laptop theft occurred on April 9, 2015, a month before Oceans Acquisitions ascertained that all devices were protected. While the healthcare provider believed the laptop computer theft did not place any data at risk of exposure, this has turned out not to be the case. According to a substitute breach notice issued on February 2, 2016, Oceans Acquisitions determined that the laptop in question did contain the PHI of 659 individuals, and that those patients potentially had their PHI exposed. This came to light during an unrelated systems review, which was not linked...
Two Employees Fired for Jason Pierre-Paul HIPAA Breach
Back in July 2015, New York Giants football player Jason Pierre-Paul visited Miami’s Jackson Memorial Hospital for treatment after a fireworks accident. News reports emerged soon after confirming Pierre-Paul had suffered a major hand injury. At the time of the accident, the football player was negotiating a new $60 million contract with the Giants. ESPN’s Adam Schefter managed to get hold of Pierre-Paul’s medical records and posted details of the injury on Twitter, confirming Pierre-Paul had had the middle finger of his right hand amputated. There was much debate at the time about the legality of Schefter’s disclosure, with many claiming HIPAA had been violated. Of course, journalists and news reporters are not HIPAA-covered entities, and as such are not obliged to abide by HIPAA rules. While Schefter could not have violated HIPAA, the medical information could only have come from the hospital where Pierre-Paul was being treated. HIPAA Rules did appear to have been violated, just not by Schefter. Jackson Memorial Hospital conducted an internal investigation into the potential...



