- The health data breach trend has continued right along from summer deep into the fall, as news of a few different types of breaches broke late last week and early this week. While the cases are dissimilar, the symptoms aren’t: Unencrypted data and lack of patient data governance still plague healthcare organizations and patients.
- The first breach was unusual in that it didn’t occur at a healthcare provider’s facilities. Instead, it involved data that patients sent from their homes to their physicians. On Nov. 9, Alere Home Monitoring, Inc. reported that an employee lost patient data after a laptop was stolen from their car and more than 100,000 patients’ data has been potentially compromised. The affected patients used Alere’s International Normalized Ratio (INR) products at home for bleeding and blood clot tests and the information is supposed to be transmitted between the patient and physician.
Information on the laptop included patient names, Social Security numbers, addresses and diagnoses. According to Alere corporate relations director Doug Guarino, while the computer was password-protected, the data itself was not encrypted. He went on to say that no credit or identity fraud has taken place yet, but the laptop hasn’t been found since the case was reported to the police. As detailed here, there are plenty of patients who use Alere products through Medicare coverage. If there ends up being identity fraud or other issues because of unencrypted data being left in an employee vehicle, it will be interesting to see where blame is shifted.
- A data breach was announced in Delmarva, Md. on Nov. 9 as well, in this case it contained mental health patient information. Christopher Devine, Quanishia Williamson-Ross and Lenee E. Williamson all pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft of mental health patients in U.S District Court in Baltimore. Police found documents with personal identification information of approximately 300 individuals, including the 21 victims from an unnamed adult mental health program. According to delmarvanow.com, Devine had purchased those 21 victims’ information from Derrick Elrod, an individual employed with the program, and then used this data to open checking accounts and get check cards in these individuals’ names.
- The Women & Infants Hospital of Rhode Island reported on its website last week that it discovered there were missing unencrypted backup tapes containing ultrasound images from two of its ambulatory sites on Sept. 12. As an update, according to phiprivacy.net, the hospital has reported to the Department of Health and Human Services (HHS) that the breach affected 14,404 patients.
- Back on Nov. 2, 508 Illinois nursing home residents had their personal data stolen from the home of a contractor. The briefcase containing the information was taken on Aug. 31 and the information included names, Social Security numbers, Medicaid recipient numbers and birth dates. According to 10tv.com, the contractor was evaluating the residents for the state.