28 Health Data Breaches in the Past 6 Months

[Jeffrey Walton <noloader () gmail com>]

http://www.beckershospitalreview.com/hospital-physician-relationships/28-health-data-breaches-in-the-past-6-months.html

1. A staff member at the Lexington (Ky.) VA Medical Center took home
patient files, slides, images and data on his laptop without
authorization. The data held approximately 1,900 veterans' personal
information, including names, the last four digits of Social Security
numbers, dates of birth and medical diagnoses.

2. Southern California Medical-Legal Consultants, which represents
physicians and hospitals seeking payment from patients receiving
workers' compensation, unknowingly had medical files for nearly
300,000 Californians unsecured on the Internet. The records included
insurance forms, Social Security number and physicians' notes.

3. St. Francis Hospital in Wilmington, Del., recovered a thumb drive
that was misplaced last week, causing the hospital to alert 500
patients to a possible data breach. The information on the drive
included the patients' names but not Social Security numbers,
addresses, telephone numbers, health insurance or billing information.

4. A Health Net data breach in January may have affected more people
than initially thought: Health Net originally said the data breach
affected 2 million nationwide, including 124,000 in Oregon. Now,
however, Health Net has found that 6,300 more people in Oregon were
affected.

5. A data breach at Boston-based Brigham and Women's Hospital and
Faulkner Hospital in Jamaica Plain, Mass., may have involved 638
patients' medical records. The physician notified the hospital and
said patient information had been downloaded to the drive and then
deleted.

6. A mailroom employee at Mills-Peninsula Medical Center in
Burlingame, Calif., stole medical records of roughly 1,500 patients.
Most of the records contained patient names and diagnostic test
results. Fifteen stolen records included patient addresses and either
insurance identification of Social Security numbers.

7. One of Boston-based Beth Israel Deaconess Medical Center's computer
service vendors failed to restore security settings on a computer,
which later was found to have a virus and transmitted data files of
2,021 patients to an unknown location. The computer contained names,
genders, birthdates, medical record numbers and names and dates of
radiology procedures, but it did not include financial data or Social
Security numbers.

8. Winston-Salem, N.C.-based Wake Forest Baptist Medical Center had a
data breach of medical records and documents that affected 357 people.
Linda Bowden Turner, an employee fired on June 1, had taken pages from
136 patient medical records and 221 employee documents, which included
Social Security numbers of past and current employees.

9. A city employee who was working as a nurse at Memorial Hospital in
Colorado Spring, Colo., was accused of improperly accessing 2,500
patient medical records. Investigators reported the nurse was most
likely not using the information for identity theft but did not
disclose any other reason for why she accessed the records.

10. A laptop that contained the names and birth dates of roughly 2,000
patients at Hurley Medical Center in Flint, Mich., went missing. The
laptop did not include Social Security numbers or addresses.

11. Approximately 880 patients at Troy (Ala.) Regional Medical Center
had some of their personal information improperly accesses and removed
from the hospital. Patient data that was taken included name, address,
date of birth, Social Security number and medical record number, the
release said.

12. The Colorado Department of Health Care Policy and Financing lost
personal data on 3,590 medical-aid applicants. While data such as date
of birth and Social Security number were not on the lost computer
disk, health data protected under HIPAA as well as addresses and state
identification numbers for the applicants were.

13. A data breach at the California Department of Public Health
affected the personal and workers' compensation information of nearly
9,000 current and former employees. Stolen information included names,
addresses, Social Security numbers, birth dates and other personal
records.

14. A Colorado nurse who worked occasionally at Boulder (Colo.)
Community Hospital improperly accessed information of 74 patients.
Cannon Tubb, who has already been indicted on 90 charges of attempted
theft, identity theft and theft of medical records at two other
Colorado hospitals, is now under investigation for looking up
demographic information of BCH patients, although hospital officials
were uncertain what specific information had been taken.

15. An employee of Miami-based Jackson Health System accessed
confidential patient information of 1,800 people. The employee no
longer works for the system and all affected patients were alerted of
the situation and offered free fraud protection.

16. A woman stole medical records of approximately 4,500 patients at
Trinity Medical Center in Birmingham, Ala. The medical records
included names, birth dates and Social Security numbers.

17. Spartanburg (S.C.) Regional Hospital notified thousands of
patients of a possible data breach of their personal and medical
information after a hospital laptop was stolen from a hospital
employee's car. The laptop contained sensitive information including
but not limited to addresses and Social Security numbers. The report
did not include how many patients were affected.

18. A data breach at Reedsport, Ore.-based Dunes Family Health Care
may have affected an undisclosed number of current and former patients
of the family health clinic. Many of the stolen files contained
patients' Social Security numbers and other personal information.
Other files did not include SSNs but may have included a name, date of
birth, address or clinical information.

19. A laptop containing protected health information for approximately
6,000 patients was stolen from Speare Memorial Hospital in Plymouth,
N.H. Personal health information on the laptop included patient names,
address, hospital account numbers, medical record numbers, physician
names, dates of service, procedure codes and diagnosis codes.

20. The medical and billing records of approximately 1,200 patients at
Minneapolis-based Fairview Health Services went missing during a move
to a new office. The medical and billing records included patients'
names, birth dates and medical diagnoses.

21. Personal pay stub data of some UMass Memorial Healthcare employees
was exposed to unauthorized access for five months during a computer
access breach. The potentially exposed personal information included
names, bank names, bank transit numbers and bank account numbers but
not Social Security numbers or medical records.

22. MidState Medical Center in Meriden, Conn., announced an employee
of Hartford Hospital has been dismissed following an investigation
into the employee's improper transfer of 93,500 MidState patients'
information to a personal hard drive. The hard drive contained
patients' names, addresses, birth dates, Social Security numbers and
medical record numbers.

23. A hospital computer and television were stolen from Eisenhower
Medical Center in Rancho Mirage, Calif. The computer was password
protected but not encrypted. It contained an electronic index with
limited patient information, including patient names, ages, dates of
birth, the last four digits of Social Security numbers and the
hospital's medical record number.

24. Portland (Ore.) Veterans Affairs Medical Center may have lost a
bundle of patient identification cards that went missing after they
were mailed back to the facility. The identification cards have
veterans' names, photographs and special eligibility indicators
printed on them.

25. Saint Francis Hospital at Broken Arrow (Okla.) experienced a
burglary and theft of a computer from a secured information systems
room that contained personal information on 84,000 patients. The data
contained the names, the Social Security numbers, addresses and
diagnostic information on patients who were treated prior to 2004.

26. The private information of 3,655 patients at Charleston (W.V.)
Area Medical Center was affected by a data breach. Patients' names,
addresses, birth dates, Social Security numbers, patient IDs and other
sensitive data were easily accessible on WVChamps.com, a CAMC website
relating to respiratory and pulmonary rehabilitation for seniors.

27. The University of Massachusetts Amherst notified University Health
Services patients that their protected health information was possibly
breached after a workstation was inadvertently infected with a malware
program. The data contained 942 patients' names, health insurance
company names, medical record numbers and information on prescriptions
dispensed between Jan. 2, 2009-Nov. 17, 2009, including the
medication, dispensing pharmacist, quantity, length of prescription
and physician's name.

28. Three employees at University of Iowa Hospitals and Clinics were
fired after a hospital investigation found they inappropriately
breached electronic medical records of 13 Iowa football players.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/