Eastern Health Authority Discloses Two Breaches Involving Briefcases Stolen from Employees’ Cars

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.phiprivacy.net/?p=12470

Eastern Health advised today that it has experienced an accidental
breach of privacy of 63 of its clients. The accidental breach occurred
when the briefcase of an employee was stolen from a vehicle while left
unattended for approximately 10 minutes on the evening of April 17,
2013. The briefcase contained one client chart and a notebook with
limited personal health information of 62 other clients. The briefcase
has not been recovered at this time.

“I regret that this incident had occurred, and I apologize to all of
the patients whose privacy has been accidentally breached,” said
Vickie Kaminski, President and CEO of Eastern Health. “We continue to
hold zero tolerance for any wilful privacy breach that occur in our
organization, and will make every effort to learn from this accidental
privacy breach in efforts to further strengthen our privacy and
confidentiality practices.”

Eastern Health has identified all the patients who have been impacted
by the accidental privacy breach, and has contacted the majority of
those impacted as of Thursday, April 25, 2013. The Office of the
Information and Privacy Commissioner has also been notified of the
accidental privacy breach due to theft.

There are incidences when it is appropriate for employees of Eastern
Health to have personal health information outside of its facilities,
such as during the provision of care and service delivery. Eastern
Health has policies in place to help guide the security of personal
health information while it is in use on its property, and when
employees are off-site or in-transit.

This incident is the second accidental breach of personal health
information that Eastern Health has experienced last week. On April
16, 2013, a briefcase was stolen from another employee’s vehicle and
the briefcase contained information on two patients. The briefcase has
since been recovered and the patient information remained intact.

The two patients were advised of the incident.

As a result of this accidental privacy breach due to theft, Eastern
Health has communicated to its managers to remind staff of their duty
and the importance of securing patient information at all given times.

Eastern Health states that there is limited additional information it
can provide regarding the accidental breach of privacy, since the
client group is defined and that any further information could
potentially identify the client group that has been impacted.

As a routine practice, Eastern Health reports any material breaches of
patient privacy, whether accidental or willful, to the Office of the
Information and Privacy Commissioner.

It is Eastern Health’s top priority to protect the privacy and
confidentiality of individuals’ personal health information, and it
holds its responsibility to the public and as a custodian of personal
health information in the highest regard.

SOURCE: Eastern Health Authority
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.