Health Care Organizations Report Data Breaches, HIPAA Settlements
Several U.S. health care organizations recently have disclosed data breaches, potentially affecting thousands of individuals.
Akron Children’s Hospital Data Breach
Last month, Akron Children’s Hospital in Ohio began informing 7,664 patients and families that a device containing their protected health information has been reported missing, Health IT Security reports.
The missing device is a backup drive that holds voice recordings of conversations between hospital workers and dispatchers during medical transport of patients between September 2014 and June 2015.
The recordings contain patients’:
- Ages;
- Birthdates;
- Chief medical complaints;
- Genders;
- Locations;
- Medical record numbers;
- Physicians; and
- Transport times.
The device does not include:
- Financial information; or
- Social Security numbers.
The device had been stored in a locked location at the Akron Hospital campus. The hospital said it will now encrypt mobile devices and will no longer use them to hold transport voice recordings (Heath, Health IT Security, 8/26).
Boston University Data Breach
Officials at Boston University have alerted state officials to a potential data breach after a university server was infiltrated by a third party, Health IT Security reports.
In May 2015, the university learned that one of its network servers was attacking a system in Nova Scotia. An investigation determined that the server had been infiltrated by a third-party who had installed a hacking toolkit.
In a letter to the Maryland Office of the Attorney General, officials said the server contained information on several individuals who participated in a Boston University research study, including their:
- Birthdates;
- Dates relating to the research;
- Medical record numbers;
- Names; and
- Social Security numbers.
University officials said personal information was removed upon discovering the issue (Snell, Health IT Security, 8/31).
ULCA Health Data Breach
On Tuesday, UCLA Health issued a notice that 1,242 patients’ data could be affected after a faculty member’s laptop was stolen earlier this year, City News Service/Los Angeles Daily News reports.
The incident comes after UCLA in July announced it had experienced a cyberattack that could affect up to 4.5 million individuals.
The laptop was reported stolen on July 3. It was password protected.
The laptop contained patients’:
- Health information;
- Medical record numbers; and
- Names.
However, it did not contain:
- Credit card numbers or other financial information;
- Health plan ID numbers; or
- Social Security numbers.
UCLA Health in a statement said, “At this time, there is no evidence that any individual’s personal or medical information stored on the laptop has been accessed, disclosed or used.”
UCLA Health has informed regulators and started a designated phone line to help those who may have been affected (City News Service/Los Angeles Daily News, 9/1).
Cancer Care Group Fined $750K Over HIPAA Violations
On Wednesday, the HHS Office for Civil Rights announced it has reached a $750,000 settlement with Cancer Care Group, an Indiana-based oncology radiation practice, over alleged HIPAA violations from a breach that occurred three years ago, Healthcare IT News reports.
In August 2012, the group reported a HIPAA security breach to OCR after a laptop and unencrypted backup media were stolen from an employee’s car (McCann, Healthcare IT News, 9/2). The device contained the personal health information for about 55,000 patients, including:
- Addresses;
- Birthdates;
- Clinical data;
- Insurance information;
- Names; and
- Social Security numbers (Goedert, Health Data Management, 9/2).
An investigation by OCR revealed the group was not in compliance with HIPAA security requirements prior to the breach.
As part of the settlement, Cancer Care Group has agreed to conduct a risk analysis to be submitted to HHS for review (Healthcare IT News, 9/2).