Archive for HIPAA Violations
The theft of three desktop computers at Bay Area Pain Medical Associates in Sausalito, California, may have exposed information about 2,780 patients, according to a sample notification letter released by the medical group.
Medical records stored on the desktop computers were encrypted, but the medical center suspects that an Excel® spreadsheet containing patient names and dates of service may have been accessible. Thieves broke into Bay Area Pain Medical Associates May 19. The theft was discovered the following day, at which time the medical center notified law enforcement officials, according to the letter.
HHS frequently stresses the importance of encrypting devices. In April, HHS released a statement that emphasized the need for encryption, citing two OCR settlement agreements that totaled nearly $2 million as examples of the dangers posed by unencrypted devices in healthcare.
Although some Bay Area Pain Medical Associates patient names on the computers may have been accessed following the break-in, the medical group stated in its letter that encryption would prevent the unauthorized disclosure of other PHI stored on the devices, including Social Security numbers and dates of birth.
Women & Infants Hospital of Rhode Island agreed to a $150,000 settlement with the Massachusetts Attorney General for a November 2012 breach that affected more than 12,000 Massachusetts patients, according to Boston Business Journal.
The breach began in 2011 when the hospital transferred 19 unencrypted back-up tapes from the hospital’s prenatal diagnostic centers in New Bedford, Massachusetts, and Providence, Rhode Island, to a central data center for its parent company, Care New England Health System. The parent company then sent the tapes off-site for archival. In 2012, Women & Infants Hospital staff discovered that 12 of the tapes were missing. The tapes contained patients’ names, dates of birth, Social Security numbers, exam dates, and ultrasound images, as well as physicians’ names. Approximately 1,800 patients from other states were also affected, Boston Business Journal reported.
The Massachusetts Attorney General’s Office filed a complaint against Women & Infants Hospital of Rhode Island July 2, 2014, alleging that the hospital violated HIPAA by failing to track the back-up tapes and neglecting to notify affected patients of the breach in a timely manner. Under the settlement agreement, the hospital must maintain an inventory of its systems, custodians, and descriptions of unencrypted data and paper charts that contain PHI, Boston Business Journal reported.
In just one week, Rady Children’s Hospital-San Diego uncovered multiple breaches of PHI caused by human error that affected more than 20,000 patients, according to a hospital press release.
The first breach occurred June 6 and affected 14,121 patients admitted to the hospital from July 1, 2012, through June 30, 2013. The breach occurred when a hospital employee accidentally emailed a spreadsheet containing PHI to four job applicants when trying to send a training file to evaluate the applicants. Upon contacting the four applicants, the hospital learned that one forwarded the email and attachment to two additional people. The spreadsheet contained patients’ names, dates of birth, primary diagnoses, admit/discharge dates, and medical record numbers, as well as insurance carrier and claim information, according to the press release.
While performing an internal investigation following the June 6 breach, the hospital learned that a similar breach affecting 6,307 patients occurred in August, November, and December 2012. In this instance, a hospital employee emailed a test file containing PHI to three job applicants. An additional six applicants took the same test at the hospital, but were unable to save, store, or send the data. The test contained patients’ names, discharge dates, location they were seen, payer name, and balance, according to the press release.
A former East Texas hospital employee faces up to 10 years in prison for HIPAA violations, according to a press release from the U.S. Department of Justice.
Joshua Hippler, 30, formerly of Longview, Texas, faces charges for wrongful disclosure of individually identifiable health information. Hippler was accused of obtaining PHI with the intent to use it for personal gain while employed by the hospital in question from December 1, 2012, through January 14, 2013. A grand jury recently indicted Hippler, according to the press release.
Hackers recently gained unauthorized access to a computer server at the Montana Department of Public Health and Human Services (DPHHS), according to a statement released by the department.
Department officials began an investigation May 15 after detecting suspicious server activity. Investigators determined May 22 that hackers accessed a Montana DPHHS computer and gained access to client data including names, addresses, dates of birth, and Social Security numbers. Information about services the clients received or applied for may have been accessed as well. The Montana DPHHS shut down the server upon discovering the breach. The department notified affected individuals July 3 but does not believe anyone inappropriately used or accessed the data, according to the statement.
Several news outlets, including Reuters, reported that the hackers may have gained access to the personal information of 1.3 million individuals.