Break-in at North Lincoln County Community Health Center Clinic

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.thenewsguard.com/news/article_6cae4b3c-d549-11e2-9aeb-0019bb2963f4.html

NEWPORT - "It feels really not good and it is a violating feeling to
have someone break into your clinic," said Gretchen Gantz, HIPAA
Privacy and Security Officer for Lincoln County Health and Human
Services.

Her statement follows the break-in of the North Lincoln County
Community Health Center Clinic at 4422 N.E. Devils Lake Blvd., in
Lincoln City.

"Plus we now have the added expenses of having to replace things that
are grant funded. We run on a shoestring budget, so it is hard when
you have a hit like that," said Gantz.

During the evening of April 17, the Clinic and surrounding offices in
the same building, were broken into by an unknown person or persons,
according to a release from Casey Miller, Lincoln County public
information officer. Locked doors, rooms and cabinets were forcibly
entered. Money was taken from the clinic, but it appears no other
records or materials were removed. No electronic devices were taken or
accessed. However, the locked room which contains medical charts for
clients was breached.

These files contain protected health information and may also contain
information such as social security numbers and personal financial
information. Lincoln County has identified and notified the clients
whose protected health information and personal information was in
those files.

"In accordance with law and standard practices in these situations we
are notifying clients of this breach of our security because this
information potentially could be compromised, " said Casey. "The
charts have been secured and security at the clinic is being enhanced.
At this time, there is no evidence to suggest that there was an
attempt to obtain or use any protected health or personal
information."

But Casey said there is always some risk in these situations, so
Lincoln County is contacting the three major credit reporting agencies
about the incident and has given those agencies a general report,
alerting them to the fact that the incident occurred.

"There is a potential that protected health information could have
been breached," said Gantz. "That's why we are notifying all our
clients."

Letters were sent to about 1,000 North Lincoln County Community Health
Clinic clients on June 13.

"We want our clients to make sure their personal financial records are
secure," said Gantz. "Just in case. It is due diligence to make sure
that our clients are taken care of."

Gantz said none of the computers, other electronic equipment and
medical supplies were disturbed.

"It appears that the suspect or suspects knew how to effectively use a
crow bar. We have to replace several desks and several doors that were
damaged by the crow bar."

She said the clinics safe was also broken into and about $170 taken.

The News Guard's calls to Lincoln City Police detectives about suspect
information have not been returned as of June 18.

Gantz said public notification of the break-in was delayed due to the
investigation circumstances and the need to first notify clinic
clients.

Clients were given a recommendation to monitor their financial
accounts and promptly contact the financial institution if any
unauthorized activity is observed. Clients can also submit an identity
theft complaint to the Federal Trade Commission by calling toll free
to 1-877-ID THEFT (1-877-438-4338 or online
athttps://www.ftccomplaintassistant.gov/

Clients may also want to contact the three credit reporting agencies
(Equifax, Experian and TransUnion) to obtain a free credit report from
each by calling 1-877-322-8228 or online at
www.annualcreditreport.com. Even if suspicious activity is not found
on initial credit reports, the Federal Trade Commission (FTC)
recommends that credit reports be checked periodically

Consumer protection laws allow people to place a security freeze or a
fraud alert on their credit files. By placing a freeze, someone who
fraudulently acquires personal identifying information will not be
able to use the information to open new accounts or borrow money in
another person’s name. An alert places a statement in the credit file
that notifies anyone requesting a copy of the credit report that the
person may be the victim of an ID theft. Generally, if an identity
theft complaint is filed with the FTC as outlined above, there may be
no charge to place the freeze. If, however, any client involved in
this incident is charged and pays a cost from the credit reporting
agency associated with this option, they can contact the county at the
address below and provide documentation of payment to be reimbursed.

Lincoln County will provide additional information concerning identity
theft on its website at www.co.lincoln.or.us.

Lincoln County takes the role of safeguarding the personal information
of clients very seriously and is doing everything it can to prevent
this situation in the future.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.