Community Health Center Investigated for 130K-Patient HIPAA Breach
A former IT Director of Community Health Center, Connecticut has alleged that the healthcare provider failed to address a number of security vulnerabilities and believes his employment was terminated as a result of highlighting those problems to the upper management. Furthermore, when he was sent his personal belongings the package he received is alleged to have contained a computer hard drive on which there were approximately 130,000 medical records of current and former patients of the Middletown clinic. The hard drive has been provided to the state and the Attorney General’s Office is conducting an investigation into the matter. Community Health Center operates 13 clinics in the Middletown area including medical and dental centers, behavioral health clinics and specialized care services for HIV/AIDS patients. Ali Eslami was employed by CHC as its IT Director and had held the position for 14 years. He claims to have spoken to the top management about the poor state of the IT security and provided information on a potential hacking incident; one that could have exposed the credit...
Staff Error Exposes 33K HIPAA Records at St. Joseph Health
Even with the best defenses in place, HIPAA violations can occur, as the Santa Rosa Memorial Hospital in Northern California recently discovered. The hospital, operated by the St. Joseph Health system, recently reported that an error made by a member of staff at the hospital resulted in the data of 33,702 patients being obtained by a thief. The theft occurred during a burglary at the hospital’s Redwood Regional Medical Group offices. The facilities were broken into and the thief – or thieves – managed to find a thumb drive on which the unencrypted records of almost 34,000 patients were being temporarily stored. The unencrypted thumb drive had been put in an unlocked staff locker overnight. In the morning, when the break in was discovered, the member of staff concerned realized that the thumb drive was missing. The theft was reported to law enforcement officers, although the perpetrators have not been identified and the thumb drive has not been recovered, although the investigation is continuing. The thumb drive was being used to temporarily store backed up data from the radiology...
Salina Family Healthcare Center Reports HIPAA Email Breach
The Salina Health Education Foundation, doing business as the Salina Family Healthcare Center, has caused a breach of 9,640 patient records after a member of staff submitted a database to the National Commission for Quality Assurance as part of a care coordination research study. The database was sent via email, and since the medium is insecure and the data was not encrypted, this potentially could lead to PHI falling into the hands of individuals unauthorized to view the information. According to a statement released by the medical center in response to the breach, the incident occurred on April 8, 2014. The data that was exposed contained sensitive information which could potentially be used to commit fraud, although no Social Security numbers or financial information was present in the database. Information included patient names and dates of birth, chart numbers and medical codes, which should have been removed prior to the data being sent. The lack of data de-identification was immediately spotted by NCQA staff, which alerted the medical center and immediately deleted the...
HIPAA Breach Report: March 2014
March 2014 HIPAA Breach Summary: The HIPAA Breach Notification Rule requires covered entities to report all data breaches involving HIPAA-covered data to the Department of Health and Human Services’ Office for Civil Rights. Breach reports must be submitted via its website portal, and CEs have 60 days from the discovery of the breach in order to do this. This report contains a summary of the breaches which have been reported to the OCR during the month of March, 2014. Major HIPAA Breaches in March 2014 The number of individuals affected by data breaches in March 2014 was substantially lower, with 68% fewer victims compared to last month, although there were 7 more breaches reported in March. Phoenix-based not-for-profit health system, Banner Health (AZ), reported the largest HIPAA breach after 55,207 individuals had their Social Security numbers or Medicare numbers printed on magazine labels in a marketing error when sending its quarterly magazine to patients. HealthPartners, Inc. (MN) reported a 27,839-record accidental disclosure data breach, in addition to three data breaches...
Stolen Union Labor Life Laptop Exposes 46,771 HIPAA Records
The failure to encrypt data on mobile devices has resulted in the Union Labor Life Insurance Co. (ULLICO) having to send out 46,771 breach notification letters to its members informing them that thieves have managed to obtain their Protected Health Information. The data compromised in the latest breach includes Social Security numbers, names, addresses and a limited amount of healthcare data. ULLICO has confirmed that the data compromised in the incident corresponds only to Union Labor Life. None of its affiliates – ULLICO Casualty Group, Inc., ULLICO Investment Advisors, Inc and ULLICO Investment Company – were affected. The insurer discovered that one of its laptop computers had been stolen from its offices in Silver Spring, MD on February 18, with the theft understood to have occurred the day before. The theft was reported to Montgomery County Police, although to date the laptop has not been recovered. The laptop contained data on participants, dependents and insurance applicants that had purchased – or applied to purchase – group life insurance or medical stop loss...



