Three Health Data Breaches: The DetailsComputers Stolen; Paper Records Missing; Folder Misplaced
Following is a roundup of three new reports of healthcare data breaches that affected patients at Haley Chiropractic Clinic in Tacoma, Wash; Blue Cross and Blue Shield of Michigan; and the Indian Health Service.
Haley Chiropractic Clinic in Tacoma, Wash., is notifying 6,000 current and former patients about the theft of three computers.
The clinic discovered that its office was broken into on May 12, when burglars stole three computers containing patient information, including: names, addresses, dates of birth, Social Security numbers, health insurance information and diagnosis information. "[We] have no indication that the stolen information has been disclosed to or used by anyone," the clinic says.
Following the incident, the clinic implemented a series of security measures on the billing and patient databases and installed building security. The theft has been reported to the Tacoma Police Department as well as federal authorities.
The clinic did not immediately respond to a request for additional information.
Boxes of Records Missing
More than 300 insurance enrollees at Blue Cross Blue Shield of Michigan are being notified about a breach involving a business associate, the Michigan State Medical Society Physician Insurance Agency, and its storage management vendor, Kent Records Management.
"We recently learned that two boxes containing protected health information for up to 338 of our members could not be located," a Blues plan spokeswoman tells Information Security Media Group. "We understand the sensitivity of this data, have notified affected members and offered them one year of identity theft protection services. This was offered as precaution as we are unaware of any inappropriate use of the information."
Information contained in the paper records include member names, addresses, dates of birth, group numbers, claim details, provider names, service dates, service descriptions, dollar amounts charged and paid, and Social Security numbers. While the information on the records pertained to Blues plan members, the missing box of documents belongs to the plan's business associate, Michigan State Medical Physician Insurance agency, which in 2010 and 2011 handled some of Blues plan's enrollment, according to a statement from the plan.
"On June 12, 2014, the insurance agency informed us that two boxes containing protected health information about the members were misplaced by the agency's storage vendor," the Blues plan says.
While the plan says it was not directly involved in the storage of the member records, "we began working immediately with the agency to investigate the incident, determine who may be affected and identifying processes to help minimize the risk that anything similar could happen in the future, including consideration of a new storage vendor." In the meantime, the records management company "has instituted additional safeguards and quality checks in its process to document the receipt and storage of boxes," the plan reports.
Kent Record Management CEO Greg George tells ISMG that it's uncertain whether his company was ever in possession of the missing boxes. That's because when Michigan State Medical Society Physician Insurance Agency requested the pick-up of the boxes for storage, it did not specify how many boxes were to be retrieved. A Kent employee scanned in 12 when they arrived at Kent's facility, but the insurance agency contends it sent 14 boxes of records for pick up, George says.
The employee failed to perform a cross-check procedure that normally catches these kinds of discrepancies, George says. In the wake of the incident, the employee was put on temporary suspension and Kent has modified its procedures.
Records Folder Misplaced
A folder containing protected health information on 620 patients of the Indian Health Service Rosebud Service Unit in Rosebud, S.D., was left by an employee in a public area at the Rapid City Service Unit.
The incident was discovered on May 30, says the Indian Health Service, an agency within the U.S. Department of Health and Human Services that's responsible for providing federal health services to American Indians and Alaska Natives. Potentially exposed information includes patient names, Social Security numbers and U.S. Department of Veterans Affairs enrollment information.
"At this time, the IHS has not received any indication the information has been accessed or used by any unauthorized individuals," IHS says. "The folder was discovered a short time later and was immediately taken to security."
Impacted individuals are being offered one year of free credit monitoring and reporting services, IHS says. As a result of the incident, all staff will receive additional training on HIPAA privacy rule compliance.
(Executive Editor Marianne Kolbasuk McGee contributed reporting to this story.)