River Falls Medical Clinic announces patient data breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://healthitsecurity.com/2013/02/04/river-falls-medical-clinic-announces-patient-data-breach/

Perhaps the Office for Civil Rights (OCR) was so specific with
subcontractor language and breach notification amendments in the HIPAA
omnibus rule for good reason. Similar to many recent healthcare data
breaches, River Falls Medical Clinic notified about 2,400 clients of a
breach that was tied to a subcontractor, in this case an outside
cleaning service employee who stole patient records during the summer
of 2012.

The OCR went into great detail in the HIPAA omnibus about how
responsibility has expanded inbusiness associate agreements and
organizations need to be more careful in selecting subcontractors. It
will be interesting to see if the new rules have any effect
subcontractor-related breaches. It is unclear when clinic reported the
theft to the police but, according to PierceCountyHerald.com, the
River Falls, Wis. police found the records containing protected health
information (PHI) in the home of the suspect, Gordon A. Eckes II, on
Nov. 28. The compromised PHI included some Social Security numbers,
patients’ first and last names, date of birth, patient and billing
account information such as diagnosis codes, scheduling information,
insurance information, account numbers and medical chart numbers. This
information has since been returned to the clinic.

This case is comparable to the Tallahassee Memorial HealthCare breach
reported last week that involved a lack of governance for paper record
de-identification, as apparently Eckes stole paper documents from
clinic bins with documents that were meant to be shredded. While the
clinic says that it verified the credentials of all of its cleaning
staff and only clinic employees and the shredding company should have
been able to retrieve the documents, these types of breaches back up
the new HIPAA rules regarding subcontractors.

The Herald also reported that clinic has modified its document
shredding policies and procedures, but didn’t elaborate on what
exactly was going to change. It wouldn’t hurt if one of these days a
healthcare organization that just experienced a breach was transparent
about how exactly it plans on rectifying the situation.

So, what took so long for this to be announced? PHIPrivacy.net brings
up three more questionsabout timing that have to be asked:

1. When did the clinic first learn that the records had been stolen?
In November when the police returned them or at the time of the theft?
2. When and why did the clinic make the determination that the risk of
harm was low? Did they investigate to determine whether any of the
info had been used between the summer of 2012 and November when the
records were returned?
3. When were patients notified of this incident? And if they were only
recently notified, why the delay between discovery of the breach and
notification?

River Falls Medical Clinic used AllClear ID, an identity protection
service, to send out the notification letter. There will be a plea
hearing at 8:30 a.m. Tuesday, Feb. 25, at the Pierce County
Courthouse.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.