The Centers for Medicare and Medicaid Services has awarded Figliozzi and Co., of Garden City, N.Y., a contract to audit payments and compliance with the agency’s EHR Incentive Program.
Figliozzi, a certified public accountant firm that specializes in auditing healthcare facilities for Medicare cost compliance, will also examine participating providers to assure that they are eligible Medicare and Medicare Advantage physicians and hospitals.
http://www.govhealthit.com/news/cms-selects-figliozzi-audit-ehr-payments
NOTE: Will be interesting if they audit compliance with Objective 14 for Eligible Hospitals which calls for HIPAA Risk Analysis.
Friday, April 27, 2012
Monday, April 23, 2012
Spreadsheet to Personal Email Account - Breach Notfication
The South Carolina Department of Health and Human Services is notifying 228,435 Medicaid beneficiaries following a major breach of protected health information.
The department discovered on April 10 that an employee, since terminated, transferred 17 spreadsheets dating back to Jan. 31, 2012, to a personal email account. Police are investigating but the department does not yet know the reason for the transfers.
The compromised data included names, addresses, birth dates, phone numbers and Medicaid ID numbers, and Social Security numbers in 22,604 cases where a Medicare number was linked to beneficiaries’ names.
http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-ocr-44343-1.html?techlabs=1
The department discovered on April 10 that an employee, since terminated, transferred 17 spreadsheets dating back to Jan. 31, 2012, to a personal email account. Police are investigating but the department does not yet know the reason for the transfers.
The compromised data included names, addresses, birth dates, phone numbers and Medicaid ID numbers, and Social Security numbers in 22,604 cases where a Medicare number was linked to beneficiaries’ names.
http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-ocr-44343-1.html?techlabs=1
Data Sent for Analysis to Outside Individual
A physician at the University of Arkansas for Medical Sciences sent financial data to an outside individual for analysis, resulting in a breach of protected health information affecting about 7,000 patients.
The physician sent the information in February and intended on removing all patient identifying information, but the academic health center learned on April 6 that identifiers remained in the information.
http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-ocr-44348-1.html?ET=healthdatamanagement:e2515:202994a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_042312
The physician sent the information in February and intended on removing all patient identifying information, but the academic health center learned on April 6 that identifiers remained in the information.
http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-ocr-44348-1.html?ET=healthdatamanagement:e2515:202994a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_042312
Sunday, April 22, 2012
Misplaced Backup Tapes (Not Encrypted) Emory
Thursday, April 19, 2012
Atlanta Health System Announces Data Breach Affecting 315K Patients
On Wednesday, Emory Healthcare -- an Atlanta-based health care system -- announced that it cannot locate 10 computer discs containing personal data on 315,000 patients, the Atlanta Journal-Constitution reports (Teegardin, Atlanta Journal-Constitution, 4/18).
Details on the Breach
John Fox -- Emory Healthcare president and CEO -- said the discs went missing from storage between Feb. 7 and Feb. 20 (Karkaria, Atlanta Business Chronicle, 4/18).
The 10 missing discs contained information on all patients who received surgery at the Emory Clinic Ambulatory Surgery Center, Emory University Hospital or Emory University Midtown between September 1990 and April 2007.
Data stored on the discs included patients' :
Names;
Diagnoses;
Surgeons; and
Surgical procedures (Atlanta Journal-Constitution, 4/18).
In addition, about 228,000 of the missing records included Social Security numbers, Emory Healthcare said.
Read more: http://www.ihealthbeat.org/articles/2012/4/19/atlanta-health-system-announces-data-breach-affecting-315k-patients.aspx#ixzz1ssiWvRD4
Atlanta Health System Announces Data Breach Affecting 315K Patients
On Wednesday, Emory Healthcare -- an Atlanta-based health care system -- announced that it cannot locate 10 computer discs containing personal data on 315,000 patients, the Atlanta Journal-Constitution reports (Teegardin, Atlanta Journal-Constitution, 4/18).
Details on the Breach
John Fox -- Emory Healthcare president and CEO -- said the discs went missing from storage between Feb. 7 and Feb. 20 (Karkaria, Atlanta Business Chronicle, 4/18).
The 10 missing discs contained information on all patients who received surgery at the Emory Clinic Ambulatory Surgery Center, Emory University Hospital or Emory University Midtown between September 1990 and April 2007.
Data stored on the discs included patients' :
Names;
Diagnoses;
Surgeons; and
Surgical procedures (Atlanta Journal-Constitution, 4/18).
In addition, about 228,000 of the missing records included Social Security numbers, Emory Healthcare said.
Read more: http://www.ihealthbeat.org/articles/2012/4/19/atlanta-health-system-announces-data-breach-affecting-315k-patients.aspx#ixzz1ssiWvRD4
Wednesday, April 18, 2012
‘Monetary Enforcement’ Is the New Aim Of OCR
The $1.5 million settlement that the Office for Civil Rights recently reached with BlueCross BlueShield of Tennessee heralds a new era of “monetary enforcement” by the agency, in contrast to its long-standing approach of what OCR Director Leon Rodriguez termed “hand-holding.”
In an interview with RPP, Rodriguez discussed the settlement and OCR’s plan to refocus its enforcement in pursuit of what he called “high-impact cases.”
Rodriguez emphasized as well that covered entities (CEs) and business associates (BAs), in the future, will face sanctions on all lapses discovered during an investigation regardless of whether they are directly related to the incident that sparked OCR’s attention in the first place.
http://aishealth.com/archive/hipaa0412-03?goback=%2Egde_2353994_member_107674360
In an interview with RPP, Rodriguez discussed the settlement and OCR’s plan to refocus its enforcement in pursuit of what he called “high-impact cases.”
Rodriguez emphasized as well that covered entities (CEs) and business associates (BAs), in the future, will face sanctions on all lapses discovered during an investigation regardless of whether they are directly related to the incident that sparked OCR’s attention in the first place.
http://aishealth.com/archive/hipaa0412-03?goback=%2Egde_2353994_member_107674360
HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
OCR’s investigation also revealed the following issues:
The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf
MIAOULIS NOTE: Interesting that this is a fine against a physician practice. Also important to remember that in addition to the fine, the organization will not have a remediation plan to complete.
The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
OCR’s investigation also revealed the following issues:
- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf
Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html
###
Note: All HHS press releases, fact sheets and other press materials are available at http://www.hhs.gov/newsr MIAOULIS NOTE: Interesting that this is a fine against a physician practice. Also important to remember that in addition to the fine, the organization will not have a remediation plan to complete.
Monday, April 16, 2012
Paper Billing Information Removed by Vendor
St. Elizabeth’s Medical Center said Friday it is notifying 6,831 patients that their billing information, including credit card numbers and security codes, may have been compromised when documents the hospital planned to shred were removed by a vendor from a building scheduled for demolition.
The papers did not include personal medical information and so far, there have been no reports that any of the billing data contained in the documents has been misused, according to hospital officials.
St. Elizabeth’s, in Boston’s Brighton neighborhood, released a statement saying it was alerted on Feb. 3 by an individual who reported finding papers from the hospital blowing through a field in Charlestown. They contained cashier’s receipts for credit card payments made by five patients at St. Elizabeth’s surgical day center and other outpatient services.
http://www.boston.com/Boston/businessupdates/2012/04/elizabeth-medical-center-notifies-patients-billing-data-breach-charlestown-incident/yegdwuqQfWe75p9jaugzWO/index.html
The papers did not include personal medical information and so far, there have been no reports that any of the billing data contained in the documents has been misused, according to hospital officials.
St. Elizabeth’s, in Boston’s Brighton neighborhood, released a statement saying it was alerted on Feb. 3 by an individual who reported finding papers from the hospital blowing through a field in Charlestown. They contained cashier’s receipts for credit card payments made by five patients at St. Elizabeth’s surgical day center and other outpatient services.
http://www.boston.com/Boston/businessupdates/2012/04/elizabeth-medical-center-notifies-patients-billing-data-breach-charlestown-incident/yegdwuqQfWe75p9jaugzWO/index.html
Saturday, April 14, 2012
Patient ID information stolen at Memorial hospitals
Patients of Memorial hospitals in south Broward County had their identities stolen by employees who wanted to use the information to make money filing phony tax returns, Memorial officials said Thursday.
Two employees have been fired and are under criminal investigation by federal agents for improperly gaining access to the patients' information, said Kerting Baldwin, a spokeswoman for tax-assisted Memorial Healthcare System, parent of five Memorial hospitals.
http://articles.sun-sentinel.com/2012-04-13/business/fl-memorial-hospital-id-theft-20120412_1_identity-thieves-identity-theft-tax-returns
Two employees have been fired and are under criminal investigation by federal agents for improperly gaining access to the patients' information, said Kerting Baldwin, a spokeswoman for tax-assisted Memorial Healthcare System, parent of five Memorial hospitals.
http://articles.sun-sentinel.com/2012-04-13/business/fl-memorial-hospital-id-theft-20120412_1_identity-thieves-identity-theft-tax-returns
Tuesday, April 10, 2012
Small Organizations Easy Targets
Small organizations, including physician practices, represented the largest number of data breaches in 2011, according to Verizon’s annual Data Breach Investigations Report.
The report examined 855 breaches across the globe that accounted for 174 million compromised records in 2011. The analysis found that cyber criminals are responsible for a large number of breaches globally, and small organizations are considered easy targets.
One of the reasons breaches at small health care organizations are on the rise is that automated attacks searching for remote Internet access services combined with weak passwords “were successful against smaller health care businesses, such as physicians’ offices and clinics,” said Marc Spitler, senior risk analyst of RISK Intelligence for Verizon.
The report said 97% of the crimes could have been avoided through simple or intermediate security controls.
http://www.ama-assn.org/amednews/2012/04/02/bisf0405.htm
The report examined 855 breaches across the globe that accounted for 174 million compromised records in 2011. The analysis found that cyber criminals are responsible for a large number of breaches globally, and small organizations are considered easy targets.
One of the reasons breaches at small health care organizations are on the rise is that automated attacks searching for remote Internet access services combined with weak passwords “were successful against smaller health care businesses, such as physicians’ offices and clinics,” said Marc Spitler, senior risk analyst of RISK Intelligence for Verizon.
The report said 97% of the crimes could have been avoided through simple or intermediate security controls.
http://www.ama-assn.org/amednews/2012/04/02/bisf0405.htm
Monday, April 9, 2012
UTAH DTS Breach Larger Than First Reported (up to 630,000)
UPDATED: 4/10--- Latest Information: http://www.health.utah.gov/databreach/
The Utah Department of Technology Services (DTS), along with the Utah Department of Health (UDOH) today announced up to 255,000 additional people had their Social Security numbers listed in data stolen by thieves from a computer server last week.These latest victims are people whose information was sent to the state by their health care provider in a transaction called a Medicaid Eligibility Inquiry to determine their status as possible Medicaid recipients.
The victims are likely to be people who have visited a health care provider in the past four months.Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients.
DTS has started the process of identifying these additional victims, and the state will be sending letters directly to them as they are identified.Some of the 255,000 Social Security numbers were not accompanied by any other indentifying information (such as names and addresses), so DTS will likely need to coordinate with other agencies to identify and notify these individuals.
Victims who had their SSNs stolen will receive one year of free credit monitoring services.There are additional steps anybody can take to help protect their identity and their financial information.This includes placing either a freeze or a fraud alert on their personal credit file with the nation’s three credit bureaus.For information on how to do this, visit http://idtheft.utah.gov/
As many as 350,000 additional people may have had other, less-sensitive information, such as their names, birth dates, and addresses accessed through eligibility inquiries.These people will also receive a letter alerting them to the situation.However, priority will be placed on alerting those who had their Social Security numbers stolen first.
It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.
---------------------------------------------------------
FRIDAY, April 6:
http://udohnews.blogspot.com/2012/04/impact-of-dts-data-breach-on-medicaid.html
Salt Lake City, UT) – A cyber attack on a Utah Department of Technology Services (DTS) computer server that stores Medicaid claims data now appears to have affected far more recipients than originally believed. In addition to Medicaid clients, the breach also involved information from Children’s Health Insurance Plan (CHIP) recipients.
As part of its on-going investigation into the attack, DTS today reported to the Utah Department of Health (UDOH) that approximately 181,604 Medicaid and CHIP recipients had their personal information removed from the server. Of those individuals, 25,096 appear to have had their Social Security numbers compromised.
The UDOH will immediately begin reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose Social Security numbers were jeopardized. Those clients will receive a letter in the mail instructing them on how to take advantage of free credit monitoring services for one year.
Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims. However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals.
DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.
DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.
The investigation into the breach of the server is ongoing, and the two agencies will continue to update the public with any further developments.
-----------------------------------------------------
APRIL 4, 2012: http://udohnews.blogspot.com/2012/04/state-agencies-investigating-data.html
(Salt Lake City, UT) – The Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) Monday evening of an information breach on a DTS server that houses Medicaid claims. The initial breach appears to have taken place on Friday, March 30. During the breach, information was accessed from approximately 24,000 claims.
DTS is investigating to determine how many individual Medicaid clients may have been affected, and what personal information may have been compromised. Typically, claims stored on servers like the one that experienced the breach could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes
------------------------------
MIAOULIS NOTE: DTS servers have multi-layered security systems, but did not have encryption. Learn from other's mistakes. Could this happen at your organization? Why not?
This keeps growing and is interesting to watch. From 24,000 claims to 24,000 files to 280,000 folks with SSN and an additional 350,000 people. Stay tuned.
The Utah Department of Technology Services (DTS), along with the Utah Department of Health (UDOH) today announced up to 255,000 additional people had their Social Security numbers listed in data stolen by thieves from a computer server last week.These latest victims are people whose information was sent to the state by their health care provider in a transaction called a Medicaid Eligibility Inquiry to determine their status as possible Medicaid recipients.
The victims are likely to be people who have visited a health care provider in the past four months.Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients.
DTS has started the process of identifying these additional victims, and the state will be sending letters directly to them as they are identified.Some of the 255,000 Social Security numbers were not accompanied by any other indentifying information (such as names and addresses), so DTS will likely need to coordinate with other agencies to identify and notify these individuals.
Victims who had their SSNs stolen will receive one year of free credit monitoring services.There are additional steps anybody can take to help protect their identity and their financial information.This includes placing either a freeze or a fraud alert on their personal credit file with the nation’s three credit bureaus.For information on how to do this, visit http://idtheft.utah.gov/
As many as 350,000 additional people may have had other, less-sensitive information, such as their names, birth dates, and addresses accessed through eligibility inquiries.These people will also receive a letter alerting them to the situation.However, priority will be placed on alerting those who had their Social Security numbers stolen first.
It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.
---------------------------------------------------------
FRIDAY, April 6:
http://udohnews.blogspot.com/2012/04/impact-of-dts-data-breach-on-medicaid.html
Salt Lake City, UT) – A cyber attack on a Utah Department of Technology Services (DTS) computer server that stores Medicaid claims data now appears to have affected far more recipients than originally believed. In addition to Medicaid clients, the breach also involved information from Children’s Health Insurance Plan (CHIP) recipients.
As part of its on-going investigation into the attack, DTS today reported to the Utah Department of Health (UDOH) that approximately 181,604 Medicaid and CHIP recipients had their personal information removed from the server. Of those individuals, 25,096 appear to have had their Social Security numbers compromised.
The UDOH will immediately begin reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose Social Security numbers were jeopardized. Those clients will receive a letter in the mail instructing them on how to take advantage of free credit monitoring services for one year.
Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims. However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals.
DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.
DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.
The investigation into the breach of the server is ongoing, and the two agencies will continue to update the public with any further developments.
-----------------------------------------------------
APRIL 4, 2012: http://udohnews.blogspot.com/2012/04/state-agencies-investigating-data.html
(Salt Lake City, UT) – The Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) Monday evening of an information breach on a DTS server that houses Medicaid claims. The initial breach appears to have taken place on Friday, March 30. During the breach, information was accessed from approximately 24,000 claims.
DTS is investigating to determine how many individual Medicaid clients may have been affected, and what personal information may have been compromised. Typically, claims stored on servers like the one that experienced the breach could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes
------------------------------
MIAOULIS NOTE: DTS servers have multi-layered security systems, but did not have encryption. Learn from other's mistakes. Could this happen at your organization? Why not?
This keeps growing and is interesting to watch. From 24,000 claims to 24,000 files to 280,000 folks with SSN and an additional 350,000 people. Stay tuned.
Sunday, April 8, 2012
Georgia Health Sciences University - Laptop stolen from HOME
AUGUSTA, Ga. – Georgia Health Sciences University has notified 513 patients about the theft of a laptop computer that may have contained some of their personal information.
n Jan. 18, a nurse practitioner who works in sickle cell clinics across Georgia, including the Georgia Health Sciences Adult Sickle Cell Clinic, had a laptop computer stolen from her home. The information in the records on the laptop was limited to name, date of birth, limited diagnosis information and an internal code associated with the patient’s laboratory tests. The records did not include addresses, Social Security numbers or financial information.
The theft was reported to the Richmond County Sheriff’s Office, as well as campus Public Safety and privacy and security officers.
“Everyone at Georgia Health Sciences is committed to protecting our patients’ privacy and we greatly regret this incident,” said Christine Adams, Enterprise Privacy Officer. “We have taken steps to further strengthen our security efforts and are making every attempt to personally notify patients whose information may have been involved.”
Patients of the Adult Sickle Cell Clinic who are concerned they may be affected but were not notified are encouraged to contact Adams at 800-576-6623, 706-721-1626 or privacy@georgiahealth.edu
http://news.georgiahealth.edu/archives/5161
Note: This is Interesting because the theft occured at home. Again, encrypt, encrypt, encrypt. It is not hard to do. If the laptop had been encrypted, reporting would not have been required. Ensure you also use and train on strong passwords or use two factor authentication.
n Jan. 18, a nurse practitioner who works in sickle cell clinics across Georgia, including the Georgia Health Sciences Adult Sickle Cell Clinic, had a laptop computer stolen from her home. The information in the records on the laptop was limited to name, date of birth, limited diagnosis information and an internal code associated with the patient’s laboratory tests. The records did not include addresses, Social Security numbers or financial information.
The theft was reported to the Richmond County Sheriff’s Office, as well as campus Public Safety and privacy and security officers.
“Everyone at Georgia Health Sciences is committed to protecting our patients’ privacy and we greatly regret this incident,” said Christine Adams, Enterprise Privacy Officer. “We have taken steps to further strengthen our security efforts and are making every attempt to personally notify patients whose information may have been involved.”
Patients of the Adult Sickle Cell Clinic who are concerned they may be affected but were not notified are encouraged to contact Adams at 800-576-6623, 706-721-1626 or privacy@georgiahealth.edu
http://news.georgiahealth.edu/archives/5161
Note: This is Interesting because the theft occured at home. Again, encrypt, encrypt, encrypt. It is not hard to do. If the laptop had been encrypted, reporting would not have been required. Ensure you also use and train on strong passwords or use two factor authentication.
Saturday, April 7, 2012
Theft of Radiology Registration DOCUMENTS
Thomas Jefferson University Hospitals (TJUH) has notified approximately 600 patients that there was a theft of radiology registration documents containing personal information for services provided between February 4 and March 22, 2005. Affected patients have been sent a letter detailing the extensive identity protection resources being made available to them.
The stolen documents were the subject of a criminal investigation being conducted by the Towamencin Township Police and were disclosed to TJUH management on February 9, 2012. These documents contained personal health information that included: patient name, address, home phone number, work phone number, Social Security number, date of birth, TJUH account number, TJUH medical record number, insurance information, emergency contact, and the specified radiological studies performed.
http://www.jeffersonhospital.org/Home/News/2012/April/thomas-jefferson-university-hospitals-notify-patients-of-security-breach.aspx
NOTE: Interesting that this involved paper and not mobile electronic media.
The stolen documents were the subject of a criminal investigation being conducted by the Towamencin Township Police and were disclosed to TJUH management on February 9, 2012. These documents contained personal health information that included: patient name, address, home phone number, work phone number, Social Security number, date of birth, TJUH account number, TJUH medical record number, insurance information, emergency contact, and the specified radiological studies performed.
http://www.jeffersonhospital.org/Home/News/2012/April/thomas-jefferson-university-hospitals-notify-patients-of-security-breach.aspx
NOTE: Interesting that this involved paper and not mobile electronic media.
Health Data Breaches Offer New Vein for Plaintiffs Lawyers to Tap
SAN FRANCISCO — In January, Deanna DeBaeke plugged her name into Google — and was shocked at what she found.
Right there online were three reports containing the Sonoma County resident's confidential medical information relating to her treatment at Santa Rosa Memorial Hospital a year earlier. Her height and weight, smoking history, blood pressure and patient account number and treatment dates were available for friends, neighbors, even potential employers, to see.
DeBaeke decided to take legal action — in a way that puts her at the vanguard of a new strain of litigation. She's a name plaintiff in a proposed class action against the hospital system for violating California's strict medical information privacy laws. Her attorneys, San Francisco plaintiffs shop Keller Grover, filed the complaint in Sonoma County Superior Court a week ago.
The potentially multimillion-dollar case is the latest in a flurry of privacy data breach actions targeting hospitals, medical services providers and at least one health insurance company across California. Recent pro-business court decisions have made certain consumer class actions less attractive, and plaintiffs lawyers are on the lookout for other lines of business. The combination of a state-law specified damages figure of $1,000 per person per violation and the massive scale of potential breaches has plaintiffs lawyers salivating and potential defendants bracing for a fierce fight.
http://www.law.com/jsp/ca/PubArticleFriendlyCA.jsp?id=1202548282179&slreturn=1
Right there online were three reports containing the Sonoma County resident's confidential medical information relating to her treatment at Santa Rosa Memorial Hospital a year earlier. Her height and weight, smoking history, blood pressure and patient account number and treatment dates were available for friends, neighbors, even potential employers, to see.
DeBaeke decided to take legal action — in a way that puts her at the vanguard of a new strain of litigation. She's a name plaintiff in a proposed class action against the hospital system for violating California's strict medical information privacy laws. Her attorneys, San Francisco plaintiffs shop Keller Grover, filed the complaint in Sonoma County Superior Court a week ago.
The potentially multimillion-dollar case is the latest in a flurry of privacy data breach actions targeting hospitals, medical services providers and at least one health insurance company across California. Recent pro-business court decisions have made certain consumer class actions less attractive, and plaintiffs lawyers are on the lookout for other lines of business. The combination of a state-law specified damages figure of $1,000 per person per violation and the massive scale of potential breaches has plaintiffs lawyers salivating and potential defendants bracing for a fierce fight.
http://www.law.com/jsp/ca/PubArticleFriendlyCA.jsp?id=1202548282179&slreturn=1
Wednesday, April 4, 2012
Worst IT Security Breaches Debriefed
Note: This graphic shows some of the worst IT security breaches. None involved healthcare, but the graph does illustrate what and how breaches may occur. The introduction is interesting as 174 million records were compromised. They state that the level of threat is so great that some say it's no longer a matter of if you get hacked, but when. With Healthcare breach notification rules, you should take steps to mitigate this risk.
http://www.backgroundcheck.org/worst-it-security-breaches/
Presented by: Background Check Guide
http://www.backgroundcheck.org/worst-it-security-breaches/
Presented by: Background Check Guide
Monday, April 2, 2012
HIPAA/HITECH final rules shipped off to OMB
Read the Rule: http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201110&RIN=0945-AA03
OCR made the final step before publishing final rules on HIPAA/HITECH, sending its rules to the Office of Management & Budget (OMB) March 24 for a review.
Once OMB completes the review — which can last up to 90 days — the rules will be published. OCR packaged four rules into one under the title, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules”:
The final rules will include:
OCR made the final step before publishing final rules on HIPAA/HITECH, sending its rules to the Office of Management & Budget (OMB) March 24 for a review.
Once OMB completes the review — which can last up to 90 days — the rules will be published. OCR packaged four rules into one under the title, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules”:
The final rules will include:
- Modifications to the HIPAA Privacy and Security Rules (namely making business associates and subcontractors liable and responsible for security-rule compliance and the use and disclosures provision of the privacy rule)
- Enforcement (new penalty levels)
- Breach notification
- Modifications of the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.
Subscribe to:
Posts (Atom)