Slideshow Recent Breaches: Providers and CMS Behaving Badly

  • October 22 2012, 10:53pm EDT
10 Images Total

Recent Breaches: Providers & CMS Behaving Badly

While still waiting on final HIPAA rules 3.5 years after HITECH, let’s look at data breaches affecting a total of at least 922,000 patients in the past two months, along with an update on a huge breach last year and a report on Medicare’s own problems complying with existing rules.

Another Episode for MD Anderson

A lost flash drive resulted in MD Anderson Cancer Center’s second major breach in 2012. The facility did not initially disclose the number of affected patients, but its report to the HHS Office for Civil Rights did: 2,264. MD Anderson for the second time in two months pledged to enhance its security in a statement similar to one after a stolen laptop compromised information on 29,201 patients.

Content Continues Below

Breach of 55,000 Includes SSNs

Cancer Care Group, a radiology practice in Indianapolis, reported the theft of a laptop from an employee’s vehicle containing unencrypted back-up data on 55,000 patients and employees. Compromised information included Social Security numbers and the practice would not disclose if affected individuals are being offered credit/identity protection services. The practice now is encrypting all portable electronic media.

Employees Get the Boot

The University of Miami Hospital has fired two employees who remain under police investigation after they confessed to accessing data from registration face sheets that may have been sold. The hospital declined to say how many patients were affected, but gave the number to HHS/OCR: 64,846, using an “abundance of caution.” That’s the number of patients registered at the hospital from Oct 2010 to July 2012. Patients were offered two years of protective services.

Billing Records Sent for Recycling

A billing company’s janitor inadvertently collected un-shredded billing records from Litton and Giddings Radiological Associates in Springfield, Mo., and sent them to a recycling center. The practice notified about 13,000 patients. The practice will offer protective services on an individual basis “to each patient as necessary,” according to a spokesperson who was not authorized to further explain.

Content Continues Below

Hospital Fires Snooping Employees

Akron General Medical Center in Ohio fired a “few” employees for snooping in the records of a female ICU patient who shot by her husband in a mercy killing, the Akron Beacon Journal reported. The employees were not involved in the patient’s care, and did not share information with others.

SSNs Breached but Hospital Stingy with Protective Services

Blount Memorial Hospital in Maryville, Tenn., has notified about 27,000 patients that protected information, including Social Security numbers for 5,000, were on a laptop stolen from an employee’s home. The hospital is not automatically offering protective services, recommending patients seek the service on their own, but will discuss payment options on an individual basis if a patient wants the hospital to pay.

Attention HIX Builders: Insurance Exchanges Can Get Hacked

The Utah Health Exchange, a state insurance exchange begun before health reform mandated the service, was recently hacked, the Salt Lake Tribune reports. The hack was a graffiti attack of the shopping portal with words garbled, headlines blurred and some pages not accessible. The site was down for about 10 days. No protected health information was involved, as it sits on a separate secure site.

Content Continues Below

Cops: ER Employee Sold 760,000 Records

The FBI arrested a former employee of Florida Hospital Celebration and charged him with accessing 760,000 records over two years and selling them. Dale Munroe registered patients in the ER and sold records to someone who sold them to chiropractors and attorneys. Patients usually got a solicitation call within a week. The crime when reported last year to HHS/OCR was believed to have affected 12,784 patients.

Oversight Report: Medicare’s PHI Protection Lacking

A study by the HHS Office of Inspector General finds the Medicare program had 14 breaches in a 26-month period. The breaches affected 13,775 beneficiaries—13,412 of them in a single breach. But CMS has only notified patients in the mandated 60 days from discovery half the time, although it managed timely notification of HHS/OCR in all 14 cases. The OIG also said Medicare contractors do a poor job stopping payments on compromised beneficiary numbers, of which a database holds 284,000 such numbers.