San Jose Medical Supply reports insider breach; sues former employees and two competitors

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.phiprivacy.net/?p=13203

There are some details I routinely look for in breach reports.  So
when I saw a breach report yesterday that indicated the breach
occurred in August 2011 and wasn’t discovered until June 27, 2013, it
caught my eye.

According to a letter sent this week to affected customers and
patients,  San Jose Medical Supply Company (SJMS) recently discovered
a breach that had occurred when the business was under previous
ownership.  In a letter to those affected, Jesille Kuizon, President
of the company, explained that when the former owner of the firm died
in August 2011, the company continued operating through its employees
and agents under the supervision of trustees. In August 2012, the firm
was bought from the former owner’s probate estate. The new owner
“uncovered certain suspicious activity taken by the former employees,
officers and/or agents of the prior owner, which may have compromised
the security of customer’s health information. ”

In June, the firm confirmed  that there had been a breach that
occurred between August 2011 and December 2011. The breach resulted in
the unauthorized disclosure of the customers’ information.

None of the employees involved in or responsible for the are still
employed by the firm and a civil  lawsuitwas filed against them in
Santa Clara Superior Court in April. Among the defendants in that case
are two medical supply firms, Front Medical Supply and Baypoint
Medical Supply.   In their notification letter dated July 17 and
submitted to California’s Attorney General’s Office, SJMS writes to
its customers:

We believe that these individuals disclosed your information to Front
Medical Supplies, Inc. (“Front Medical”) and/or Living Medical
Equipment, Inc. (“Living Medical”). You may have been contacted by
Front Medical and/or Living Medical, and you may have received
misleading information from them about San Jose Medical. Please note
the following:

San Jose Medical has NEVER dissolved or filed bankruptcy. To the
contrary, it continues to operate in the same location, and has
continuously operated for over 20 years. San Jose Medical only
operates under the name of “San Jose Medical Supply Co., Inc.” San
Jose Medical Supply Co., Inc. DOES NOT operate under any other name
and has NEVER changed its name to Front Medical, Living Medical or any
other name
Front Medical Supply and/or Living Medical Supply ARE NOT and HAVE
NEVER BEEN affiliated or partnered with San Jose Medical Supply Co.,
Inc.
San Jose Medical Supply Co., Inc. NEVER transferred or sold your
health information, medical records, or prescriptions to Front Medical
Supply and/or Living Medical Supply. These businesses obtained your
information in violation of health privacy laws.
San Jose Medical Supply Co., Inc. NEVER authorized Front Medical
Supply and/or Living Medical Supply to provide medical supplies to
you, on our behalf, or as an extension of San Jose Medical Supply Co.,
Inc.

The PHI that may have been improperly disclosed included full name,
date of birth, Social Security number, home address, Medi-Cal ID
number, physician’s name and contact information, prescriptions, past
invoices to SJMS, diagnosis, disability code, and type and quantity of
medical supplies ordered from SJMS.

It is important to note that the allegations in the lawsuit are just
that – allegations.  It is not clear why the lawsuit names Front
Medical Supply and Baypoint Medical Supply, when the breach
notification letter names Front Medical Supply and Living Medical.

All of the defendants, including the two medical supply firms, are
represented by Tingley Piontkowski LLP, who have not responded to
PHIprivacy.net’s request for a statement by the time of this
publication.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.