Michigan Agency Breaches PHI But Says Not Bound by HIPAA
The Michigan Department of Community Health has notified more than 49,000 individuals that a server of the Michigan Cancer Consortium holding their names, birth dates, Social Security numbers, cancer screening test results and testing dates was hacked.
But the department does not consider the compromised data to be protected health information and did not notify local media or the HHS Office for Civil Rights, which enforces the federal health care privacy, security and breach notification rules.
The information was on a server of a private contractor that hosts the Michigan Cancer Consortium Web site. The information was on a password-protected section of the site that the department uses to communicate with local agencies carrying out cancer screening activities, according to a department spokesperson. The information since has been moved to a secure department server.
Neither the department nor consortium, comprised of providers, payers and associations cooperating on cancer research, has placed a public notice of the breach on their Web sites. The notification letter to patients advises them to place a fraud alert with the three major credit bureaus. A spokesperson for the department told WWJ Newsradio in Detroit that the breached information was not a medical record, and did not include addresses or identifiable contact information, but were “simply testing reports.”
A WWJ employee, however, reported on July 4 that a few days after receiving a notification letter from the department, a fraudulent effort was made to apply for a Kohl’s credit card in her name, but the application was denied.
Responding to questions from Health Data Management, a Michigan Department of Community Health spokesperson said the compromised data “were not medical records and therefore, no notification under HIPAA was sent to individuals. However, because the reports contained Social Security numbers, the Identity Theft Protection Act did apply. MDCH therefore contacted individuals about the breach along with steps that could be taken to protect from the potential for identity theft.”
Determining the breach did not fall under the HIPAA breach notification rule, the department did not notify local media. The department’s Cancer Prevention and Control Section, where the information originated, is not a HIPAA-covered component of the Michigan Department of Community Health, the spokesperson notes.