Visionworks Reports Second Server HIPAA Breach in Less Than a Month
Visionworks has announced that it has suffered a second major security breach in less than a month, bringing the total number of patients affected over the past four weeks to 122,627 individuals. Visionworks sent breach notifications to 75,000 patients last month after a computer server was lost following a security upgrade. The missing server was believed to have been inadvertently dumped along with construction debris during the refurbishment of the Visionworks Jennifer Square, Annapolis, MD., facilities. The latest breach affects patients who had received services at its Florida store in the Mall of the Avenues, Jacksonville. The server had been upgraded; however the old server, which contained the Protected Health Information and personal details of approximately 48,000 patients, cannot be located. As with the previous server loss, the incident is being attributed to an employee who may have inadvertently dumped the server, although the breach letter did not confirm that this was definitely the case. The optical care services provider maintains the two incidents are not linked....
Xerox Reported for 2 Million Record HIPAA Breach by Texas HHSC
The dispute between Xerox and the Texas Health and Human Services Commission (THHSC) continues with the latter now having reported a 2 million-record HIPAA breach to the Department of Health and Human Services’ Office for Civil Rights for allegedly not returning PHI following the termination of the service provider’s contract. Xerox was a former Business Associate of THHSC and was contracted to provide administrative services for the Texas Medicaid program. However, THHSC took the decision in May to terminate the contract following allegations that Xerox had inappropriately given authorization for orthodontic braces to be given to thousands of Medicaid patients when the devices were not medically necessary. Three months later, once THHSC had replaced Xerox with a new Business Associate, it filed a lawsuit against Xerox claiming that the company had failed to return computer equipment and paper files after its contract was terminated. Stored on those computers and in those files was a large volume of confidential information including personal identifiers, Medicaid numbers and...
HIPAA Breach Due to Improper PHI Disposal Affects 1,778 Minn. Patients
Northfield Hospital & Clinics has recently issued a HIPAA breach notification to approximately 1,800 of its patients after their Protected Health Information (PHI) was potentially exposed to unauthorized individuals over an eight day period in October this year. The security breach only affected a small percentage of Northfield patients and no medical information is believed to have been accessed, although the matter is being treated with the utmost seriousness. The security breach occurred when a number of documents were disposed of in commercial dumpsters by mistake, rather than being destroyed as required by HIPAA data security and privacy rules. When Protected Health Information is no longer required it must be destroyed or rendered unusable, with the rules applying to paper records and all electronic data. Paper records containing PHI and other confidential information must be shredded, incinerated or rendered unreadable to ensure that patient health information is not accidentally disclosed. In the case of Northfield Hospital & Clinics, the records included some...
Detroit Thieves Use Stolen PHI to Commit Medical Identity Theft
Electronic devices are easy to steal and thieves sell on the hardware, although the value of the equipment pales into insignificance compared to the money that can be obtained from the patient data stored on the devices. PHI can be used to obtain products and medications which can be sold on the black market, although the data can also be used to submit false tax returns, obtain tax refunds and make bogus insurance claims. The theft of Protected Health Information from two Detroit hospitals earlier this year has highlighted how easy it is for thieves to steal PHI if adequate security measures are not implemented and how that data can be used to commit fraud and medical identity theft. The data breach involved two hospital employees; Markitta Washington who worked at Henry Ford West Bloomfield Hospital and Martez Lear from DMC Harper Hospital. The pair is alleged to have stolen the data of 1,400 patents from the hospital computer network in order to make bogus claims for tax refunds. Following the discovery of the theft at Detroit Medical Center the hospital conducted an...
Data Encryption May not Prevent a HIPAA violation
According to the Department of Health and Human Services’ HIPAA Security Rule, healthcare entities and their business associates must implement measures to protect private and confidential data of patients. Many healthcare organizations use data encryption services to protect PHI in the event that healthcare networks are infiltrated by hackers or electronic devices are lost or stolen. Encrypting patient data should ensure that an organization is covered and protected against HIPAA violation penalties; however this may not necessarily be the case. A recent data breach at Boston’s Brigham and Women’s Hospital has highlighted an issue faced by healthcare organizations who take the appropriate steps to protect PHI, only for those measures to prove insufficient. BHW announced on Monday 17th November that a mobile phone and laptop computer were stolen in a robbery in which a doctor was held at knife point, bound to a tree and was subsequently forced to hand over the equipment as well as the pass codes to access the data. The devices held the data of 999 patients,...



