And the Data Breach Train Keeps Rolling
In the last few days, two hospitals have announced data breaches involving protected health information.
The first data breach incident, announced on October 1, 2013, involved St. Mary's Janesville Hospital, a 50-bed facility serving residents of Rock County Wisconsin.
According the press release posted on the facility's website:
- Circumstances: Laptop was stolen from an employee's car
- Incident date: August 26 or 27, 2013
- When discovered (by hospital): August 27, 2013
- How discovered: Presumably when employee notified hospital
- Patient notification date: September 30, 2013
- Public notice date: October 1, 2013
|  |
- Number of patients' impacted: 629
- When/where patients' received treatment: Patients who were treated in the emergency department of St. Mary's Janesville Hospital between January 1, 2013 and August 26, 2013
- Stolen information included: May have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications. The laptop did not contain any Social Security numbers, addresses, credit card numbers, or financial information of any kind.
St. Mary's advised in its press release that the hospital "inspected all laptops to ensure they all have encryption software" and that the hospital "will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with [the hospital's] encryption policies." But, given this public notice and the notification to patients, it appears that the stolen laptop was either not encrypted or that the PHI was stored in the unencrypted portion of the laptop.St. Mary's has partnered with ID Experts to provide the impacted patients with identity theft monitoring services for one year.The second data breach incident was announced on October 2, 2013 by UnityPoint Health, a healthcare system providing services throughout Iowa and Illinois. According to the UnityPoint's press release (which appears to have been released to the media, but which could not be located on the system's website at https://unitypoint.org):- Circumstances:
UnityPoint's electronic medical record (EMR) system was accessed by an
unauthorized individual using the login details from authorized
individuals
- Incident date: Records accessed over a period from February 2013 - August 2013
- When discovered (by hospital): On or around August 8, 2013
- How discovered:
Incident discovered during a "regular audit", when "UnityPoint detected
a pattern of unusual access to certain patient data in its hospital EMR
system"
- Patient notification date: Sometime on or before October 2, 2013
- Public notice date: October 2, 2013
- Number of patients' impacted: 1,800
- When/where patients' received treatment: Patients treated at UnityPoint Health system offices/locations anytime prior to when UnityPoint "shut off the unauthorized access by forcing a password reset"
- Stolen information included: Names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to patient treatment. For less than ten percent of impacted patients, patient Social Security number and/or Driver’s License number may have been viewed. For four impacted patients, the unauthorized user also accessed information about the patients’ financially responsible party.
UnityPoint is offering credit monitoring services to the impacted individuals.
|
April 2024
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing
6/8/15 Two California Privacy Bills to Watch in 2015
3/28/15 When Looking at Security, Consider Every Device
3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine
1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing
12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider
11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?
11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?
11/19/14 Wearables and the Challenge for Consumer Device Makers
10/28/14 A Few Telemedicine Resources
10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring
Blog Archives
January 2015 (1)
March 2014 (3)
October 2014 (2)
June 2015 (1)
December 2014 (1)
April 2014 (6)
August 2014 (4)
September 2014 (1)
January 2014 (4)
July 2015 (1)
November 2014 (3)
July 2014 (1)
October 2013 (9)
February 2014 (4)
March 2015 (2)
May 2014 (6)
December 2013 (5)
November 2013 (3)
June 2014 (3)
Blog Labels
Healthcare Fraud (1)
Marketing (1)
Employment (1)
Social Media (2)
HIPAA (3)
Dental (1)
FAQ (6)
Identity Theft (1)
Telemedicine (7)
Mobile Apps FDA (2)
Privacy (4)
FCC (1)
Financial Services (1)
Security (1)
Big Data (3)
Healthcare Competition (1)
Medical Marijuana (1)
Mobile Apps (2)
EHR (2)
Data Breach (10)
BYOD (2)
Meaningful Use (4)
Privacy Litigation (3)
|
