Feds Add 4 More Major Breaches to ListEach incident affects more than 500 individuals
Since Feb. 22, the Office for Civil Rights within the U.S. Department of Health and Human Services has been regularly updating on its Web site a list of organizations that have notified HHS about a breach of unsecured health information involving more than 500 individuals.
Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually.
To view the list, click here. New cases are added as information is received and confirmed.
The four most recently added cases are:
University of Texas Medical Branch at Galveston
The organization notified 2,400 individuals that a former employee of a billing firm it had been using was arrested in unrelated identify theft cases.
The former employee of MedAssets Inc., Atlanta, was arrested and charged with using stolen identity to gain employment with the firm, UTMB explained in a letter to patients. The billing worker also was charged in other unrelated instances of identity theft and credit card theft.
MedAssets determined that the individual had access to UTMB patients' accounts between July and October 2009. But UTMB reported that it was unaware of any evidence that any of its patients' information was misused. UTMB offered the affected patients identity theft protection paid for by MedAssets.
University Medical Center of Southern Nevada
The Las Vegas hospital reported an Oct. 31, 2009, incident involving the theft/unauthorized access of paper records affecting 5,103 individuals. Medical center officials provided sketchy details, saying they were "cooperating with the FBI on their investigation of this crime" which apparently involved someone making unauthorized copies of records.
"To enhance the protection of patient information, UMC employees are now required to enter a personal identification number on copy machines in patient areas so that photocopies can be tracked and audited," a spokesman said. The medical center is providing free credit monitoring to those who may have been affected. The hospital "sent notification letters to individuals who provided information to the hospital's trauma center on Oct. 31 or Nov. 1," a spokesman said.
Lee Memorial Health System
The integrated delivery system reported that a patient complained Jan. 29, 2010, about receiving a "change of address" postcard from the organization's Infectious Disease Specialists clinic in Fort Myers, Fla., a spokesman said. The patient was concerned that postal service employees could see that he was being treated at a clinic that treats infectious diseases.
Although the postcard contained no personal information about the patients, other than name and address, the organization notified federal officials about the mailing, sent to 3,800 patients.
As a result of the complaint, Lee Memorial will no longer communicate change of address information for its clinics and other sites via postcards, the spokesman said.
Laboratory Corp. of America
The lab company reported the theft of a laptop Feb. 12 at its Dynacare Northwest Inc. unit in Washington state. The breach affected 5,080. Company executives declined to provide further details.