And the Data Breach Train Keeps Rolling

In the last few days, two hospitals have announced data breaches involving protected health information.

The first data breach incident, announced on October 1, 2013, involved St. Mary's Janesville Hospital, a 50-bed facility serving residents of Rock County Wisconsin.

According the press release posted on the facility's website:
  • Circumstances: Laptop was stolen from an employee's car
  • Incident date: August 26 or 27, 2013
  • When discovered (by hospital): August 27, 2013
  • How discovered: Presumably when employee notified hospital
  • Patient notification date: September 30, 2013
  • Public notice date: October 1, 2013
  • Number of patients' impacted: 629
  • When/where patients' received treatment: Patients who were treated in the emergency department of St. Mary's Janesville Hospital between January 1, 2013 and August 26, 2013
  • Stolen information included: May have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications.  The laptop did not contain any Social Security numbers, addresses, credit card numbers, or financial information of any kind.
St. Mary's advised in its press release that the hospital "inspected all laptops to ensure they all have encryption software" and that the hospital "will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with [the hospital's] encryption policies." But, given this public notice and the notification to patients, it appears that the stolen laptop was either not encrypted or that the PHI was stored in the unencrypted portion of the laptop.

St. Mary's has partnered with ID Experts to provide the impacted patients with identity theft monitoring services for one year.

The second data breach incident was announced on October 2, 2013 by UnityPoint Health, a healthcare system providing services throughout Iowa and Illinois. According to the UnityPoint's press release (which appears to have been released to the media, but which could not be located on the system's website at
  • Circumstances: UnityPoint's electronic medical record (EMR) system was accessed by an unauthorized individual using the login details from authorized individuals
  • Incident date: Records accessed over a period from February 2013 - August 2013
  • When discovered (by hospital): On or around August 8, 2013
  • How discovered: Incident discovered during a "regular audit", when "UnityPoint detected a pattern of unusual access to certain patient data in its hospital EMR system"
  • Patient notification date: Sometime on or before October 2, 2013
  • Public notice date: October 2, 2013
  • Number of patients' impacted: 1,800

  • When/where patients' received treatment: Patients treated at UnityPoint Health system offices/locations anytime prior to when UnityPoint "shut off the unauthorized access by forcing a password reset"
  • Stolen information included: Names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to patient treatment. For less than ten percent of impacted patients, patient Social Security number and/or Driverís License number may have been viewed. For four impacted patients, the unauthorized user also accessed information about the patientsí financially responsible party.

UnityPoint is offering credit monitoring services to the impacted individuals.

November 2016

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the Stateís Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)