Improper Dumping of Patient Medical Records Continues
This month, Allina Health System and Springfield Community Hospital discovered that medical records had been disposed of without first rendering them indecipherable as required by HIPAA. A third healthcare provider has also just been alerted that some of its confidential patient data have allegedly been illegally dumped. New Alleged Case of PHI Dumping Reported The latest case of improper dumping of PHI came to light when a local man reported discovering paperwork from the Cottonwood Comfort Dental clinic on the West Mesa, close to Albuquerque. The man had been on the West Mesa collecting shell casings when he discovered hundreds of paper medical records, according to a KRQE News 13 report. The paperwork allegedly contained patient names, Social Security numbers, insurance information and patient addresses. The man who discovered the records allegedly took them to a recycling center, although reporters from KRQE claim to have seen some of the data and taken it to the Cottonwood clinic. An investigation into the alleged privacy breach has been launched by Cottonwood Comfort...
Repeat HIPAA Violators Revealed: Database of Offenders Created
ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...
2015 – The Year of the Healthcare Data Breach
Many healthcare IT security professionals will be glad to see the back of 2015. It has been a bad year for the healthcare industry and attacks have come from all corners. Cybercriminals and hackers have been breaking through defenses, or in many cases just sidestepping them. Malicious insiders have stolen patient data, and negligence and human error continued to cause healthcare data breaches in 2015, exposing tens of thousands of patients’ health records. 2015: The Year of the Healthcare Data Breach Previously the financial and retail sectors were the most targeted industries. Now it is the turn of the healthcare industry. Hackers and cybercriminals have not forgotten about credit card numbers, but there are far greater rewards to be gained from stealing medical records and Social Security numbers. The data can be used by criminals to steal identities, file fraudulent tax returns, make bogus insurance claims, and obtain medical services. The data can be used for far longer than credit card numbers before fraud is detected, allowing thousands of dollars to be gained from each...
Mailing Error Results in PHI Exposure of Belgrade Regional Health Center Patients
When a physician’s assistant left the Belgrade Regional Health Center, a letter was sent to patients to tell them about the impending change in personnel; however, that letter also resulted in a breach of 854 patients’ Protected Health Information (PHI). The mailing took place on October 21, 2015 and patients first started notifying the health center of the error two days later when the letters started to be received. An investigation into the incident revealed that an error had been made with the mail merge; a step in the mailing process that can easily result in the accidental disclosure of patient PHI. The error was made by a mailing vendor of the health center. A number of other healthcare providers have also experienced very similar privacy breaches this year. In this case, the letters included the correct patients name and address, but also the name and address of another individual. The inclusion of an incorrect name and address also indirectly disclosed that that individual was a patient of Belgrade Regional Health Center. Breach notification letters have now been sent to...
Dermatologist Email Error Exposes 14,910 Patients’ SSNs
A spreadsheet containing 14,910 patient names, along with Social Security numbers, dates of birth, telephone numbers, addresses, email addresses, past and next appointment dates, head of household names, marital statuses, ethnicities, and employer names/occupations was inadvertently sent to 130 patients by the office of an Austin dermatologist. The emails were sent on November 23, 2015, and although the error was rapidly identified, but not in time to prevent 60 of those emails from being successfully delivered. It is not clear how many patients could potentially have been affected had the email error not been identified so quickly. According to a breach notice placed on the website of Austin, TX, dermatologist Mary Ruth Buchness, instead of patients being sent a survey as an email attachment they were inadvertently sent a very detailed list of patient demographics. The website breach notice does not list the number of patients affected, although the breach notice submitted to the Department of Health and Human Services Office for Civil Rights indicates 14,910 patients had their...



