Washington DC VA Medical Center Breach Exposes PHI of 1,062 Veterans

Washington DC Veterans Affairs Medical Center has reported a security incident that has exposed the protected health information of 1,062 veterans.

On March 31, 2016, the privacy office of the Washington DC Veterans Affairs Medical Center was notified that a controlled substance monthly report had been discovered to be missing. The report included veterans’ full names along with their full or partial Social Security numbers.

An investigation into the incident was launched and attempts were made to locate the missing document, but it has not been recovered.

In response to the incident, the medical center has updated its procedures and has now implemented new controls to prevent future privacy breaches of this nature from occurring.

All veterans affected by the privacy breach are being sent breach notification letters and will be offered a year of credit monitoring and identity theft protection services without charge. Details of the steps that veterans can take to protect their privacy have also been included in the breach notification letters.

Berkeley Endocrine Clinic Informs Patients of Privacy Breach

On April 22, 2016, Berkeley Endocrine Clinic discovered that some of its patients on its contact list had been sent a spam email. While no protected health information was exposed in the message, a privacy breach occurred while notifying affected individuals of the email spam.

All of the individuals who were believed to have been sent the spam message were contacted via email; however, their email addresses were not masked. Consequently, all individuals on the mailing list had their email addresses disclosed to other patients.

Aside from names and email addresses, no other protected health information was exposed as a result of the email error. The Office for Civil Rights breach report indicates 1,370 patients were affected.

The clinic has now implemented new administrative steps which are intended to prevent repeat breaches of this nature. The clinic has suggested that patients may wish to change their email address as a result of the disclosure.

Associates in EyeCare Breach Affects 971 Patients

The Whitley City, KY., offices of Associates in EyeCare, P.S.C., were burgled on March 19, 2016. The thieves entered the premises and stole two laptop computers and a computer hard drive.

An internal investigation revealed that some protected health information was stored on the devices. Patients’ names, internal account numbers, optical images, and technical data related to those images could potentially have been accessed. Some patients also had their date of birth exposed.

The break-in was reported to law enforcement and the perpetrator was arrested. That individual explained that the equipment had been given to a drug dealer in exchange for narcotics. Attempts have been made to recover the stolen equipment and pawn shops have been placed on alert to look out for the devices. At the time of writing, the laptops and hard drive have not been recovered.

To prevent future breaches of protected health information, Associates in EyeCare will be using data encryption on all portable devices used to store PHI. Policies have also been introduced to ensure strong passwords are used and, as an additional security measure, staff have been re-trained on HIPAA requirements regarding the protection of ePHI.

The OCR breach report indicates 971 patients were affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.