HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

California Business Associate Reports Potential Breach of Upwards of 70,000 Records

Stephan C Dean, the co-owner of the California record storage firm Surefile, reported a hacking/IT incident to the HHS’ Office for Civil Rights (OCR) on March 4, 2020 as impacting upwards of 70,000 individuals.

Stephan Dean and his wife have been engaged in a long running legal dispute with Kaiser Permanente over the return and deletion of electronic files containing patient information. Kaiser Permanente has been trying to get the files permanently deleted; however, Stephan Dean insists that Kaiser Permanente owes him money for services rendered. The on-and-off legal action was eventually dropped, but the emails were never returned or deleted.

Surefile worked with Kaiser Permanente and was provided with paper copies of medical records in 2008. When the agreement between Surefile and Kaiser Permanente ended, Stephan Dean returned the paper copies of the medical records to Kaiser Permanente; however, emails containing patient information that were sent to Stephan Dean by Kaiser Permanente remained on his computer. Stephan Dean filed a complaint with OCR over alleged HIPAA violations relating to the emails and lack of a business associate agreement, and while a case was opened and the matter was investigated by OCR, it was eventually closed with no penalty issued.

On August 20, 2019, Stephan Dean was informed by Microsoft that an unauthorized individual may have compromised his MSN email account. The account in question contained files such as spreadsheets that had been sent to Stephan Dean by Kaiser Permanente.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Stephan Dean recently spoke with Dissent of databreaches.net and explained that the 70,000 records only represent a sample of the data and the actual number, which could only be determined with forensic accounting, could well be close to 1 million records.

Databreaches.net reported on the initial breach in 2012 and continued to cover the story. A detailed write up of the legal dispute and latest breach can be found on the following link: https://www.databreaches.net/an-old-hipaa-incident-rears-its-very-ugly-head-again/

Golden Valley Health Centers Alerts Patients to Email Security Breach

Golden Valley Health Centers, a network of healthcare centers in the Merced, Modesto, and Central Valley regions of California, is alerting patients that some of their protected health information has been exposed. Patient information was stored in emails and email attachments in an account that was accessed by an unauthorized individual. The breach was discovered on March 3, 2020 and forensic investigators were called in to investigate.

An analysis of the accounts revealed they contained names, billing information, health insurance information, appointment records, and patient referral information. While the investigation confirmed that the email account had been accessed by an unauthorized individual, no evidence of data theft or data misuse was uncovered.

In response to the breach, Golden Valley Health Centers is reviewing and revising its information security policies and privacy practices and further training has been provided to the workforce.

The HHS’ Office for Civil Rights breach portal shows 39,700 patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.