Friday, July 30, 2010

Computer with patient data stolen from Jefferson

A laptop computer with health and personal information on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital in Philadelphia in June.

The patients whose unencrypted records were on the password-protected laptop were notified last Friday of the theft in a letter from hospital president Thomas J. Lewis, who offered identity-theft monitoring and protection.

Lewis said the hospital would do all it could to protect the patients whose information, including Social Security numbers, had been exposed and take steps to prevent similar incidents in the future.

The breach at Jefferson is part of a national problem, experts say.

A federal database has documented 121 such lapses nationwide since September 2009, showing that medical or financial information had been exposed for more than five million people.

Tuesday, July 27, 2010

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case

Company agrees to substantial corrective action to safeguard consumer information
July 27, 2010

Rite Aid Corporation and its 40 affiliated entities have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

Rite Aid, one of the nation’s largest drug store chains, has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes. This is the second joint investigation and settlement conducted by OCR and FTC. OCR and FTC settled a similar case involving another national drug store chain in February 2009.

The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.

Among other issues, the reviews by OCR and the FTC indicated that:
· Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
· Rite Aid failed to adequately train employees on how to dispose of such information properly; and
· Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:
· Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
· Training workforce members on these new requirements;
· Conducting internal monitoring; and
· Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.

For additional information and to read the Resolution Agreement, visit

Friday, July 23, 2010

Thousands of personal record files dumped in recycling bin

Curious, they pulled out a couple and were stunned to see that they appeared to be medical records, Karen Keith said.

The information inside the files included some that couldn't be more personal – or dangerous: Social Security numbers, copies of drivers' license numbers and even credit cards numbers, she said.

Lost CD - 29,808 Care1st Members

SACRAMENTO – The California Department of Health Care Services (DHCS) has reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members.

Without proper encryption, which is required by DHCS of all its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users. Care 1st cannot confirm that the CD was encrypted. Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.

MIAOULIS NOTE:  The same story, encrypt, encrypt, encrypt.. Encrypt all mobile media, laptops, Thumbdrives, Cds, tapes, etc.....

Offsite data destruction and lack of encryption play role in South Shore Hospital breach

Hospital says 800K records may be missing

South Shore Hospital in Weymouth says computer files containing personal information for about 800,000 people were lost when they were being shipped to a contractor for destruction.

The backup computer files were shipped out on Feb. 26, 2010, the hospital said. When the company did not provide certificates of destruction, the hospital inquired and learned from the company that only a portion of the files had been received and destroyed. A search is underway for the missing files.

Friday, July 9, 2010

HHS Issues Notice of Proposed Rulemaking to Implement HITECH Act Modifications to the HIPAA Rules

July 8, 2010
The Department of Health and Human Services (HHS) issued a notice of proposed rulemaking today to modify the Privacy, Security, and Enforcement Rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

“This proposed rule strengthens the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in healthcare today,” said Georgina Verdugo, director of the HHS Office for Civil Rights (OCR). These HIPAA Rules are administered and enforced by OCR.

Once it is published in the Federal Register, the notice of proposed rulemaking may be viewed and commented on for 60 days at

In addition to issuing the notice of proposed rulemaking, OCR also updated its breach notification webpage. Breaches of unsecured protected health information affecting 500 or more individuals that are reported to the Secretary are now posted in a new, more accessible format that allows users to search and sort the reported breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.

Visit the OCR website for more information about this proposed rule and the updated breach notification webpage:

Thursday, July 8, 2010

Envelopes for UF study of girls had personal data with address

University of Florida officials have notified more than 2,000 adolescent girls that their Social Security or Medicaid identification numbers were mistakenly printed on address labels sent on letters inviting them to take part in a research study.
The letters were mailed May 24 to the parents of the girls seeking their participation in a study about human papillomavirus, or HPV, vaccination. After the problem was discovered June 6, UF officials said that they launched an investigation and notified state and federal officials of the breach.

Friday, July 2, 2010

New York hospital loses (7 unencrypted CDs) data on 130,000 via FedEx

New York's Lincoln Medical and Mental Health Center is notifying patients that their personal information may have been compromised after seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit.

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

The breach affects 130,495 patients, according to a notification posted Tuesday by the U.S. Department of Health and Human Services.
Miaoulis Note:  Tools are there to encrypt thumb drives, CDs, etc.  Organizations need to encrypt, encrypt and encrypt.  Mobile media should be the first place to start.

Thursday, July 1, 2010

Security glitch exposes WellPoint data again

Associated Press   June 29, 2010

WellPoint Inc. has notified 470,000 individual insurance customers that medical records, credit card numbers and other sensitive information may have been exposed in the latest security breach of the health insurer's records.

The Indianapolis company said the problem stemmed from an online program that customers can use to track the progress of their application for coverage.Spokeswoman Cynthia Sanders said an outside vendor had upgraded the insurer's application tracker in October and told the insurer all security measures were back in place.

But a California customer discovered that she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a website and password to track their applications.,0,7282434.story