U.S. Health Entities Report, Settle Data Breaches Affecting Millions
July 25, 2014 in News
Several health care organizations recently have reported or settled cases regarding data breaches affecting millions of individuals.
Pennsylvania-Based Hospital Breach
Officials at the University of Pennsylvania Health System have notified 661 patients about a data breach that occurred when receipts from Penn Medicine Rittenhouse containing personal health data were stolen last month, the Philadelphia Inquirer reports.
Last week, the health system announced that the receipts had been taken from a locked office. The receipts included patients’:
- Dates of birth;
- Names; and
- The last four digits of their credit card numbers.
Susan Phillips, a senior vice president at the health system, said that there had been no arrests and no reported incidents of identity theft related to the incident, which she described as “very low risk.”
She added that the health system is “reviewing internal procedures to make any needed changes to keep patient information confidential” (Burling, Philadelphia Inquirer, 7/18).
Court Decision on Breach at Calif.-Based Provider Group
A California appeals court dismissed a class-action lawsuit against the Sutter Medical Foundation that was filed after the October 2011 theft of personal health data on four million patients from one of its computers, Health Data Management reports.
The plaintiffs had sued Sutter Medical for $4 billion — $1,000 for each patient affected. A lower court ruled that the plaintiffs could pursue a class-action case.
Sutter appealed the decision and the appeals court sided with the physician network, finding that the plaintiffs did not have standing to sue because they failed to prove harm.
The appellate court in its decision said, “The mere possession of the medical information or records by an unauthorized person was insufficient to establish breach of confidentiality if the unauthorized person has not viewed the information or records” (Goedert, Health Data Management, 7/23).
Details of R.I. Hospital Settlement
Massachusetts Attorney General Martha Coakley (D) announced on Wednesday that Women and Infants Hospital in Providence, R.I., reached a $150,000 settlement with the her office following a HIPAA breach that compromised the protected health information of about 14,000 patients, including 12,127 Massachusetts residents, Healthcare IT News reports (McCann, Healthcare IT News, 7/24).
In the summer of 2011, 19 unencrypted back-up tapes went missing. The tapes contained patients:
- Dates of birth (Jayanthi, Becker’s Hospital Review, 7/24);
- Exam dates;
- Physician names;
- Social Security numbers and;
- Ultrasound images (Hofherr, Boston Globe, 7/23).
According to Coakley’s office, the hospital did not realize the tapes were missing until spring 2012 because of an “inadequate inventory and tracking system” and did not report the breach until September 2012 because of poor internal procedures and employee training .
As part of the settlement, the hospital agreed to perform regular security audits and maintain an inventory of:
- PHI locations;
- Staff members handling PHI; and
- Unencrypted devices containing PHI (Healthcare IT News, 7/24).