Two Data Breaches in Kentucky
Two Kentucky hospitals in recent days have disclosed breaches of protected health information.
Our Lady of Peace, a psychiatric hospital in Louisville, is notifying 24,600 individuals after a flash drive was came up missing on April 1. The hospital does not have a notice published on its Web site, but a notice is published on the site of corporate parent Jewish Hospital & St. Mary's Healthcare. The hospital ran a legal advertisement notifying the public in the Courier-Journal, Louisville's largest newspaper, on April 29.
The new breach notification rule under the HITECH Act requires disclosures within 60 days for breach known to affect 500 or more individuals. Smaller breaches must be reported on an annual basis.
The flash drive contained unencrypted data on patients admitted since 2002 and patients assessed, but never admitted, since 2009. Data on admitted patients included name, room number, insurer name, and admission and discharge dates. It did not include diagnoses or treatments, Social Security number, date of birth, telephone numbers or address.
Data on assessed patients included name, date of assessment, date of birth and the time they left the hospital. It did not include diagnoses or treatments, Social Security numbers, telephone numbers, address or insurance information.
Our Lady of Peace now is reeducating employees on ways to protect patient information, implementing encryption technology and disciplining an undisclosed number of employees, according to a media statement. A spokesperson declined further comment.
In the second breach incident, The Medical Center in Bowling Green is notifying 5,418 patients following the theft of a hard drive from the hospital's mammography unit. The unencrypted drive contained information on patients who underwent bone density testing at the hospital between 1997 and 2009. The drive was found to be missing on April 1 and the hospital made the announcement on April 28.
Data on the hard drive was not encrypted, but it was in a locked, "non-public" area, according to the hospital. The data included patient name, date of birth, address, medical record number and physician. In some instances, it also included Social Security numbers, weight, height and menopause age.
The Medical Center has started to enhance its patient information security following the breach. "We will now archive data to a secure network, which will allow us to eliminate the need for use of a hard drive like the one that was stolen," according to a statement on its Web site. "Additionally, we will ensure that we do not have any other equipment configurations that utilize a portable hard drive containing non-encrypted data."
The hospital has been working toward the goal of having all data encrypted, an initiative that started before the data breach, says Doris Thomas, vice president of marketing and development for parent corporation Commonwealth Health Corp.
Both hospitals are advising affected patients to contact credit bureaus and place a fraud alert on their credit reports, and to check their reports on a periodic basis.
The Medical Center in Bowling Green is not yet offering free credit and identity theft protection services to patients whose breached data included Social Security numbers. "We have no reason to believe the device was stolen for the information contained in it," Thomas says. "We have no evidence that any of the information has been released or used."
Offering the protection services "would be something we'd look at if the need arises," she adds.