This blog series  has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The University of Rochester Medical Center (“URMC” or the “Medical Center”) joined in the parade of large PHI security breaches two times in 2010. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that URMC had two large security breaches during 2010 (the “2010 Breaches”). The first 2010 Breach posted for URMC on the HHS List on May 28, 2010, related to 2,628 individuals from an “Unauthorized Access of Paper Records” that occurred on April 19, 2010. The second 2010 Breach posted for URMC on the HHS List on September 21, 2010 related to 857 individuals from a “Lost Portable Electronic Device” that occurred on August 2, 2010. 


There are several interesting aspects about the URMC events. First, like the incident at University of Tennessee Medical Center discussed earlier in this blog series, URMC apparently has determined that it is not necessary or appropriate to publish the 2010 Breaches in the URMC Newsroom or elsewhere on the URMC website.  A review of the list of 345 stories presently posted in the 2010 News Archives on the URMC website revealed no reference to either of the 2010 Breaches.  


It is somewhat disappointing that URMC has chosen not to communicate with its Internet community on the 2010 Breaches, as numerous other institutions with large PHI security breaches have chosen to do. It is even more puzzling in light of the fact that Peter Chesterton, MBA, the long-time Chief Privacy Officer and Chief HIPAA Security Official for URMC, has been a recognized leader and lecturer in the area of PHI security and privacy. He is also currently listed as a member of the University of Rochester Data Security Taskforce in the Office of the Provost (the “Provost Taskforce”). 


Mr. Chesterton lectured at the 4th Academic Medical Center Privacy and Security Conference on June 11, 2007 on the topic “Protecting PHI Shared with Private Physician Practices” and at the 5th Academic Medical Center Privacy and Security Conference on March 2, 2009 on the topic “AMC Privacy and Security: New Challenges, NewSolutions – Best Practices for Compliance.”


As a matter of fact Slide 23 on “Recent Developments” in Mr. Chesterton’s 2009 presentation referred to a “recent security incident.” Presumably his reference was to a January 11, 2009 data security breach, which was reported by  as having occurred at the University of Rochester (the “2009 Breach”), that involved 450 individuals from a “Hacked Database.”


It is not clear that the 2009 Breach involved PHI which is covered by HIPAA/HITECH or whether it related to the University of Rochester or URMC. In any event the 2009 Breach preceded the establishment of the HHS List and would not have been reportable on the HHS List had it been PHI because fewer than 500 individuals were affected. If the 2009 Breach related to the University of Rochester and not to the Medical Center, Mr. Chesterton’s knowledge of the 2009 Breach could have come from his membership on the Provost Taskforce.


Clearly Mr. Chesterton is not responsible for the publication policy of the URMC website or its news postings. However, I believe that the multiple occurrences of PHI security breaches in 2010 at URMC and is a serious matter. The posting of the 2010 Breaches (and the 2009 Breach if it related to the Medical Center) on the URMC website would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating a large PHI security breach. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.