PHI of 6,000 Patients Unlawfully Accessed

6,000 patients of Susanville, CA-based physician Hal Meadows M.D., have been notified that some of their protected health information was accessed by an unauthorized individual who unlawfully gained access to a computer used by Dr. Meadows.

The information on the computer included the names, telephone numbers and addresses of patients, along with their dates of birth, insurance numbers, treatment codes, and billing information. The breach was discovered on July 27, 2016 and patients were notified by mail in September.

The matter was reported to the FBI which retained the computer for analysis. Dr. Meadows reports he now “has heightened procedures, safeguards, and staff training to prevent a recurrence of this situation.”

KidsPeace Reports Loss of Files Containing PHI

KidsPeace, a private charity offering support and assistance to children with behavioral and mental health issues, has reported a potential breach of confidential information. A box of paperwork containing the protected health information of 1,456 individuals was discovered to be missing from its Schnecksville, PA head office.

The missing documentation contained names, dates of birth, patient account numbers, medical record numbers, and service dates of individuals who had received treatment between 2001 and 2004. No medical information was contained in the documents. The paperwork included reference documents confirming data retention policies had been followed and clients’ medical records had been destroyed in accordance with its policies.

While it is possible that the files were inappropriately removed, KidsPeace believes the files may have been accidentally destroyed. A full investigation was launched and a search of the facility was conducted, but the documents could not be located.  KidsPeace also confirmed that no unauthorized individuals accessed its facility between July 29 and August 1 when the files were discovered to be missing.

As a precaution, the locks on the facility were changed and policies and procedures relating to the secure storage and disposal of PHI were reviewed.

Napa Valley Dentistry Reports PHI Theft

A decommissioned password-protected server containing the PHI of former patients of Dr. C. Michael Quinn, DDS, the previous owner of Napa Valley Dentistry, has been stolen. The practice, which included the server, was purchased by Dr. Justin Newberry, DDS in December 2012. The server was being stored in a locked and gated storage facility. However, the storage unit was broken into and the server was stolen.

The server is understood to contain the names of patients, their addresses and dates of birth, dental insurance information, and Social Security numbers. It is unclear how many patients have been impacted by the theft.

The theft was discovered on August 11, 2016, although it took until September 8 to ascertain which individuals had been affected by the breach. It is not known whether any data were accessed; however, as a precaution patients have been offered a year of credit monitoring and identity theft protection services without charge.

The relationship with the storage facility has been terminated, information security practices have been reviewed, and action has been taken to prevent future breaches of PHI.

Printing Error Results in PHI Exposure

CalOptima has reported a printing error resulted in health incentive surveys being sent to incorrect patients. 1,000 patients received a survey in the mail which were meant for other members. The surveys included the full name of another patient, the patient’s identification number, and in some cases, the survey disclosed that the individual had been diagnosed with diabetes. The mailing error occurred on October 7, 2015 and was discovered the following day; however, the Department of Health and Human Services was only informed of the privacy breach in August.

University of Wisconsin Hospitals and Clinics Authority has also reported a mailing error which impacted 6,923 patients. The patients were sent an improperly addressed customer satisfaction survey. No PHI was exposed, although the surveys were addressed to “The parent or guardian of [patient name]” rather than being addressed to the patient. The surveys were mailed between July 29 and August 2.

The error attributed to an improperly formatted computer file. Additional staff training has been provided to ensure that future mailings contain no errors.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.