Archive for Breach Notification
Cyber criminals hacked into part of a computer network at UCLA Health System in California, compromising records of at least 4.5 million people, the university hospital system reported on Friday.
There is no evidence yet the hackers obtained access to or acquired individuals’ PHI, although the compromised areas of the network do contain names, addresses, birthdates, Social Security numbers, medical record numbers, Medicare or health plan numbers, and other medical information, according to a statement from UCLA Health.
The health system is working with the FBI and has also hired private computer forensic experts to secure information on network servers.
An Indiana-based EHR vendor and its subsidiary company were the victims of a sophisticated criminal cyber-attack last week that exposed the PHI of some patients at several of the vendor’s clients, according to a notice Medical Informatics Engineering (MIE) posted to its website June 10.
The statement did not say how many patients were affected, but did list the following affected clients, which were each notified of the breach:
- Fort Wayne Neurological Center
- Franciscan St. Francis Health Indianapolis
- Gynecology Center, Inc. Fort Wayne
- Rochester Medical Group
The breach also affected MIE’s subsidiary, NoMoreClipboard, which is also based out of its Fort Wayne offices. A separate notice to those clients and patients was issued.
A nurse practitioner did just that, however, when she left her job at the University of Rochester Medical Center (URMC) in Rochester, New York, for a position at a local outside practice, Greater Rochester Neurology.
The employee took a list with her containing information on thousands of her patients and then shared that list with her new employer, all without getting permission from the patients, according to a press release issued May 26 by URMC.
The HHS Office for Civil Rights (OCR) entered into a $125,000 resolution agreement March 15 with Cornell Prescription Pharmacy (CCP) in Denver for HIPAA violations.
OCR received a media report January 11, 2012, indicating that CCP disposed of PHI in a publicly accessible dumpster. OCR began investigating CCP January 13, 2012, and notified the covered entity of the investigation February 27, 2012. The resolution agreement states that CCP failed to do the following:
- Reasonably safeguard PHI
- Implement written policies and procedures for compliance with the HIPAA Privacy Rule
- Provide and document HIPAA Privacy Rule training for workforce members since the compliance date of the rule
In addition to agreeing to the civil monetary penalty, CCP also agreed to do the following as part of the resolution agreement with OCR:
- Develop, maintain, and revise written policies and procedures to comply with federal privacy standards
- Provide copies of policies and procedures to OCR for review and approval
- Adopt and implement policies and procedures within 30 days of OCR approval
- Distribute policies and procedures to workforce members within 30 days of OCR approval
- Require workforce members to sign policies and procedures indicating that they have read, understand, and will abide by them
- Assess, update, and revise policies and procedures annually
- Restrict workforce members from the use or disclosure of PHI if they have not signed the policies and procedures
- Train workforce members on the new policies and procedures within 30 days of implementation
- Notify HHS/OCR of any future reportable breaches within 30 days of conducting an internal investigation
The Denton County (Texas) Health Department began notifying tuberculosis (TB) clinic patients of a breach that occurred in February when a health department employee left a USB drive containing PHI at a printing store, according to a press release.
The USB drive contained the names, dates of birth, addresses, and test results of 874 patients seen at a TB clinic associated with the county health department. The employee left the USB drive unattended at the printing store for approximately one hour, according to the press release.
The department launched an internal investigation after the employee voluntarily reported the potential breach. The press release states that the department does not believe the records were accessed during the time the USB drive was left unattended. However, it is notifying affected patients by mail and recommending that they obtain a credit report and monitor financial statements.