Evansville Medical Center Hack Exposes HIPAA Data of 4,400
Hackers have gained access to the E-mail accounts of a number of employees of the St. Mary’s Medical Center in Evansville, Indiana, resulting in the PHI of approximately 4,400 patients potentially being exposed. A spokesman for St. Mary’s Medical Center, Randy Capehart, issued a statement announcing the HIPAA breach to the press. In the statement he explained the nature of the attack and the data that was potentially exposed. The E-mail accounts accessed by the hackers contained Protected Health Information together with personal identifiers and some Social Security numbers. Although the data exposed varied from individual to individual, the information mostly contained names, gender, dates of birth, health and insurance information. The attack occurred in January and all patients affected by the breach are being notified by mail. They have been offered a year of credit and identity protection services if they had their Social Security numbers exposed. All other individuals will be entitled to obtain a free credit report from each of Equifax, TransUnion and Experian. The breach was...
HIPAA Breach Reported After Theft of PHI from Wisconsin Physician’s Car
The theft of laptop computers containing unencrypted Protected Health Information (PHI) accounts for a high proportion of HIPAA breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The Medical College of Wisconsin will join that list of organizations to suffer a laptop-related HIPAA breach after the device was stolen from the car of a physician. In this case, the theft only resulted in one patient record potentially being exposed; however, paper files containing the PHI of approximately 400 of the physician’s patients were also taken in the theft. Under the Health Insurance Portability and Accountability Act (HIPAA), Covered Entities (CEs) are required to report breaches of PHI to the OCR via its breach reporting portal. CEs have up to 60 days to report breaches involving more than 500 individuals, although there is only an annual requirement to report breaches of fewer than 500 records. A public announcement was issued via a CBS Affiliate, WDJT Milwaukee, regarding the data breach and notification letters were quickly dispatched to all...
Veteran HIPAA Breaches Fell by Over a Third in January
A recent report sent from the Department of Veterans Affairs (VA) to congress indicates that HIPAA breaches involving the PHI of veterans have fallen by 35% from December 2014 to January 2015, while the affected individuals fell by 52%. In December last year, 371 out of 643 veterans affected by a data breach involved HIPAA covered Protected Health Information, while January saw a substantial improvement with only 310 veterans affected by data breaches, of which 242 involved the exposure of PHI. The data breaches were divided by the VA into four categories: Lost or stolen devices (including laptop computers, PCs and portable storage devices), lost personal identity verification (PIV) cards, mis-mailed incidents (when patients are sent data belonging to other patients) and mishandled incidents, which typically involve the mishandling of two patients records. Three of the categories saw a significant drop in number of affected veterans, while lost PIV cards remained broadly the same, having only increased 6% from 120 to 127 affected individuals. The number of veterans affected by lost...
Theft of HIPAA Records Reported by Texas Healthcare Provider
Hunt Regional Medical Partners, a healthcare provider in Texas, has reported a break in at its Westlake facilities in which an undisclosed number of healthcare records were obtained by thieves. The property was vandalized and old paper medical files of patients who had visited the Hunt Regional Medical Partners Family Practice (HRMP) at Westlake before 2010 were taken. The practice had recently been acquired by the healthcare provider and was previously known as Westlake Medical Center. It is not clear at this stage exactly what information was disclosed in the incident, although according to the breach notice issued by HRMP, the information potentially included Social Security numbers and health information along with personal identifiers making this a HIPAA breach. The vandalizing of the premises and theft of data have been reported to law enforcement officers and an investigation was immediately launched. Breach notification letters have now been sent to all affected individuals, and due to the increased risk of suffering medical or identity fraud, credit monitoring services are...
Possible HIPAA Violations in Medical College of Wisconsin Breach
The Medical College of Wisconsin has issued a statement announcing a data breach that has affected approximately 400 of its patients. WDJT Milwaukee, an affiliate of CBS, was contacted on Feb 28, 2015 by a spokesperson for the Medical College of Wisconsin detailing a data breach which exposed some confidential information of its patients. The breach occurred on February 15, 2015, when a document and a laptop computer were stolen from a physician’s car. The document contained information relating to approximately 400 patients. The laptop is understood only to have only contained the information of one patient. It is not clear exactly what information was stored on the laptop computer or in document at this stage; although MCW has confirmed that no Social Security numbers or patient addresses were stolen. In spite of legislation that requires data encryption is addressed, the healthcare industry has been slow to respond and use data encryption on its desktop computers, laptop computers and other portable storage devices. Data encryption ensures that if a device is stolen, no...



