Office for Civil Rights

Urology clinic suffers data breach

August 5th, 2015

A Montana urology clinic storage unit that housed patient records was broken into and patient data was possibly accessed. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) online breach reporting database shows that 6,500 patients were affected.

Practice manager Tanna Darling mentioned that Urology Associates have sent data breach notification letters to patients. Darling said that “over a few thousand” letters were sent out.

Urology Clinic officials reported that the break-in occurred at the clinic’s storage unit having gated facility. There is possibility that the unauthorized individual was renting a separate storage unit at the facility and therefore had access to the first gate.

“Everything was in disarray, but it honestly didn’t look like they took anything,” Darling said.

Kalispell Police Department Captain Scott Warnell said that the incident is part of a larger trend that is happening across the county, and that the department is making extra patrols on storage units to ensure that unauthorized individuals are not in the area. Patients whose information was possibly accessed will receive one free year of credit monitoring from Urology Associates.

Montana data breach notification law was updated last year.

“Upon discovery or notification of a breach of the security of a data system, a state agency that maintains computerized data containing personal information in the data system shall make reasonable efforts to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person,” the law states.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Stolen server leads to data breach

February 18th, 2015

Three notices were sent to patients informing them about the data breach which was caused by burglary in California dentist Dr. Cathrine Steinborn’s office. Apparently, first notice didn’t contain enough information, as two more notices were sent.

“Your dental records and radiographs were fully backed up, so there will be no loss of continuity of care,” Steinborn wrote in the first data security notice. “However, your personal identity and insurance information is on the server and could be compromised.”

The first notification failed to notify patient’s the details of information may have been compromised by the data breach. Dr. Catherine explained that a door was forced open and the server containing patients’ electronic records was stolen.

A police report was filed and the dentist’s office is working with its property manager “to enhance the physical security of the building,” Steinborn explained.

Second letter mentioned that the dentist’s office does not store patients’ financial information, such as credit cards, or driver’s license numbers but keeps names, addresses, phone numbers, insurance information, dates of birth and group numbers on file. Also, patients’ Social Security numbers, as well as all patients’ health history and dental records are kept in office.

“Our server had two levels of password protection, but was not encrypted,” Steinborn said in the second letter. “Currently, our files are in the cloud, in an encrypted form. I will be having the new server encrypted. An IT specializing in HIPAA will complete a thorough risk evaluation and we will be implementing robust physical and IT security going forward.”

Final letter was about security aspects.

“We previously provided notice of this incident to you, and are providing you additional information about the incident and helpful information on protecting against identity theft and fraud.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Dumpster Case Settled

December 2nd, 2014

More than 1,500 women in Missouri got affected by data breach when their protected health information (PHI) was compromised after their personal records blew out of a dumpster on a windy day. According to the reports, Midwest Women’s Healthcare Specialists have decided to settle the case by paying amount of $400,000 to compensate the patients for the PHI exposure. All the affected patients will get the share from the victim’s fund.

“Both sides worked very hard to get this resolved quickly, and to seek justice for all of those involved,” plaintiff attorney Maureen Brady told the news source.

The affected records include patients’ names, Social Security numbers, addresses, procedures and tests performed. Papers were scattered up to several blocks away by the wind.

“At Midwest Women’s Healthcare we take patient privacy very seriously,” a spokesperson said in an email to the news station back in May. “We continue to thoroughly investigate this issue and will take appropriate action based on our findings. Midwest Women’s Healthcare is in the process of determining which patients may have been affected and intends to notify them as soon as possible.”

After the judge’s approval, the letters will be sent to patients explaining process to receive funds. The decision and status to implicate Midwest Women’s Healthcare for HIPAA violations by Department of Health and Human Services (HHS) is not known. Civil penalties from HIPAA violations, added to any compensation sought by potential victims could add up to amounts.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Neurodiagnostics centre notifies patients of data breach

June 29th, 2014

Colorado Neurodiagnostics of Littleton, Colo. has notified an unknown number of patients after data breach. According to the reports, laptop was stolen from the office which contained Protected Health Information (PHI).  The information which was comprised includes patient names, dates of birth and clinical information but there were no Social Security numbers or financial data.

It was also noticed that laptop was password protected but the status of encryption was not known. The theft was reported to the Littleton Police and the federal Office for Civil Rights. Colorado Neurodiagnostics is offering affected patients identity protection services. Also, patients are also encouraged to closely monitor financial accounts and, if there is any suspicious activity

According to the organization, they will use security cameras and boost security training among employees. Furthermore to boost the security they should verify the status of encryption software on laptop.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

OCR dismisses group of activist’s HIPAA complaint

May 15th, 2014

CNET News - Desktop threat, still a threat (De...

A group of activist, Change to Win (Ctw) had earlier filed a complaint with the Office for Civil Rights (OCR) after it found that patient’s privacy was compromised. OCR has officially completed its investigation into this Walgreens “Well Experience” program. After investigation it has dismissed the complaint.

Ctw has claimed that pharmacists were leaving the desks unattended and thus there were chances of exposing patient’s data. It was case of physical safeguards violation according to Ctw at the Walgreens “Well Experience” program. OCR has performed number of site visits and found as well as concluded that there was no reviewable evidence that Walgreens was missing the appropriate protected health information (PHI) safeguards.

But OCR gave some advice to Walgreens on patient’s consultation room and a screen containing patient’s name. It also recommended retraining of the employees in each store depending upon specific issues. The federal organization will provide Walgreens with technical assistance.

Upon completion of these on-site investigations, OCR found that Walgreens implemented the Well Experience specific safeguards in these stores and, further, these measures appeared to appropriately safeguard patient PHI. OCR noted that in the few stores where there was some evidence of staff error with regard to the implementation of safeguards, this was not evidence of widespread and systemic non-compliance, as the errors varied from store to store.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Unique case where concerned entity didn’t violate HIPAA regulations

March 30th, 2014

 

Major task of HIPAA is to keep track on data breaches and government penalties for compliance failure. It covers entities that handle patient data in some form. Incident involved Monroeville, Pa. when its 911 dispatch centre from five fire stations gave easy access for patient medical records to unauthorized users. Information which was accessible included names, driver’s license numbers, birth dates and medical histories.

Monroeville is a community of about 28,000 with a vibrant business corridor, a convention center and two busy hospitals. The Pittsburgh Post-Gazette was covering this incident for last two years and found that Monroeville, Pa didn’t breached HIPAA regulations. Investigation was carried out by Department of Health and Human Services (HHS).

HHS learned that municipality failed to maintain the database properly and soon after the discovery of the breach unauthorized access was terminated. According to Office for Civil Rights, ‘Monroeville, its dispatch center, police department or fire department are all not covered under the provisions of the privacy law, which mainly related to health care providers and insurers.’

Two Monroeville council members said they were pleased by the government’s findings. Tom Wilson said, “I was happy that they didn’t find any violations, and the folks that were falsely accused, that took the brunt of the accusations, were completely exonerated.”

Linda Gaydos said,” “I am absolutely overjoyed for the employees of our police department, our dispatch center, our EMS and our fire departments and their families, to have this put behind them,” She added, “We had a group of people in Monroeville that worked against Monroeville, and they smoke-screened and they tried to keep stirring the pot and they tried to scare people and make it worse. They’ve made it a very, very bad, uncomfortable situation for a lot of people, and I’m hoping this will put an end to it.”

Municipal Manager Timothy Little said, “I think it lifts a cloud off of Monroeville, and specifically the public safety aspect of the municipality, that there wasn’t any wrongdoing with respect to [health privacy law] violations,”

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption

.

Enhanced by Zemanta

Complaint filed against St. Rose Dominican Hospitals

February 18th, 2014

The Office for Civil Rights (OCR) complaint is filed against ST. Rose Dominican hospitals for allegedly compromising patient’s records as part of gaining advantage in a contract dispute. Dignity health which owns ST. Rose Dominican hospitals is in process of dealing with a complaint. It is complaint against violating patient privacy by using records for leverage.

According to the announcement by the Nevada Health Services Coalition, Dignity Health took access to patient records by contacting Coalition plan members. It happened when the agreements between the two agencies fell through. It is considered as violation by the Health Insurance Portability and Accountability Act, or HIPAA. U.S. Department of Health and Human Services Office of Civil Rights filed the complaint. The Nevada Health Services Coalition, a nonprofit, helps negotiates hospital contracts for discounted health care service rates for 19 member group healthcare organizations, including 230,000 Nevada residents.

Christine Carafelli, executive director of the coalition said, “It’s our position that patient data collected in the course of medical treatment should not be used to lobby or gain leverage in contract negotiations.”

After this complaint, Dignity Health released statement:

“St. Rose Dominican Hospitals upholds the highest ethical and moral principles, and honors federal, state and other regulatory guidelines related to the provision of health care. St. Rose has not, and will not, compromise patient safety or confidentiality. Like all hospitals, St. Rose values the patients it has served and regularly communicates with current and former patients regarding operational, financial or other matters related to health care services at St. Rose.”

To protect your data arising out of disputes it is better to safeguard company laptops with encryption software. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization. Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Data breach at Kaiser Foundation Hospital

November 25th, 2013

There is not a single week which goes without a healthcare data breach incident, in which a laptop or USB flash drive is stolen. The latest data breach victim in this league is the Kaiser Foundation Hospital Orange County – Anaheim Medical Center, alerting patients that their data had been compromised when a flash drive with their information on it went missing.

The California Attorney General did not reveal the number of patients affected, but Kaiser’s letter were released to patients and explained that patients’ names, medical record numbers, and dates of birth were included on the flash drive, however Social Security numbers were not.

Patients were not even offered the usual year of credit monitoring by Kaiser, which may be considered trite at this point but should be interpreted as a good-faith effort. Instead, it stated that it respects patients’ rights to file a complaint both with Kaiser and with the Office for Civil Rights. For an organization that still isn’t done with its ongoing, extremely-public legal battle with Surefile, it would be reasonable to expect the organization to do more than say it respects patients’ abilities to complain about their privacy being breached.

Moreover, its notification letter has very little transparency. It addition to not knowing how many patients were impacted, Kaiser is not coming up with information such as whether the data was encrypted and whether it was lost or stolen from inside or outside the organization. Kaiser isn’t a “mom and pop” shop that isn’t aware of HIPAA and the degree to which patient data safety is federally-regulated. Even if its Anaheim Medical Center is just part of the organization, in comparison to other breached organizations’ responses, some may argue that Kaiser should be able to make a better effort in notifying patients from both risk mitigation and informational standpoints.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Health data breach complaint filed by Milwaukee

November 10th, 2013

Dynacare, a clinical laboratory services company lost a USB flash drive with unencrypted patient data during data breach incident. Milwaukee handed the data over to Froedtert Health’s Workforce Health, a public health organization that had contracted with and has an ownership interest in Dynacare.

The lost flash drive contained 6,000 Milwaukee employees’ data such as names, addresses, dates of birth, Social Security numbers and gender. And it stored the names of 3,000 spouses and domestic partners as well, so there was a great amount of Milwaukee patients affected. The city’s complaint may be redundant in light of Dynacare previously reporting the breach to the Department of Health and Human Services (HHS). But here’s the statement from Milwaukee City Attorney Grant Langley.

After consultation with members of the Common Council and the Mayor, the Office of the City Attorney has decided to file a formal complaint with the federal Office of Civil Rights against Dynacare Laboratories for its admitted breach of HIPAA security requirements regarding the private information of more than 9,000 City of Milwaukee employees, their spouses and their domestic partners.

I will be taking this action on behalf of the city and its employees based on Dynacare’s recent filing of a notice of breach of unsecured protected health information, its apparent unwillingness to communicate or cooperate with city representatives or to release details of its investigation, its failure to provide information to the city in order to protect our employees and the misleading comments Dynacare provided to the media.

It is important to note that the city’s contract for its wellness program is with Froedtert Community Health/Workforce Health. That is the entity to which the city provided employee information in a secured and password-protected manner, not Dynacare. The city continues to investigate the matter, and at this time has not ruled out further litigation.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta