This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. A recent posting of a major PHI security breach was made regarding Eisenhower Medical Center (the “Center”) on the U.S. Department of Health and Human Services (“HHS”) Web site that lists breaches of unsecured PHI affecting 500 or more individuals. The Center, which is located on Bob Hope Drive in Rancho Mirage, near Palm Springs, California, houses, among other areas, the famous Annenberg Center for Health Sciences at Eisenhower, the Barbara Sinatra Children’s Center at Eisenhower and the Betty Ford Center on the Eisenhower campus.
The HHS posting respecting the Center reports that a PHI breach affecting 514,330 persons (the “Center Breach”) occurred on March 11, 2011 from the “Theft” of a "Desktop Computer." As a result the Center appears to have suffered the third largest PHI security breach reported on the HHS Web site during 2011 to date, trailing only
(i) the Health Net breach earlier reported in this series that involved 1,900,000 persons and
(ii) the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons potentially affected.
The Center Breach was reported as item 38 on page 16 of the U.S. Department of Homeland Security (“DHS”) “Daily Open Source Infrastructure Report for 1 April 2011.” The DHS report quoted Center officials and the Center’s Director of Marketing and Public Relations as saying,
The computer was password protected, but not encrypted. The information in the . . . file included patient names, ages, dates of birth, the last four digits of the Social Security number, and the hospital’s medical record number. . .
The theft occurred late in the day March 11, but the hospital was not aware the computer had been stolen until March 14. On March 17, officials learned the backup patient file was on the stolen computer . . . [T]he theft was reported to the Riverside County Sheriff’s Department March 18. The file was a backup file that was not displayed on the computer’s desktop.
In spite of the more than 500,000 individuals reported as having been affected by the Center Breach, the information made available to date by the Center has been sparse. A visit to the home page of the Center’s own Web site does not reveal any mention of the Center Breach. Similarly a search of the 1,446 items dating back to 2004 in the Center’s News Archives on its Web Site (the “News Archives”) has no reference to the Center Breach.
The only article in the News Archives relative to privacy, which appeared to be from early 2009, reported the rolling out by the Center of a privacy code system to augment guidelines for the use and disclosure under the privacy standards for PHI (excluding information available in the hospital directory) to a patient’s family, significant other and friends. That article also stated, “All Eisenhower employees are required to complete a mandatory privacy NetLearning training module in April.”
(NOTE – The conclusion that the year of the privacy article in the News Archives was 2009 was only determinable from a review of surrounding news items. The News Archives are deficient because they have no reference as to the dates of postings, unless they are indicated in the bodies of the articles themselves.)
It is perplexing that a hospital of the stature of Eisenhower Medical Center has been relatively silent about the Center Breach that has affected so many individuals. Nor has the Center disclosed what, if any, proactive remedial actions it will be taking to avoid a similar occurrence in the future. However, it is clear that more will be heard about this event, as CaliforniaHealthline.org has reported, "The not-for-profit medical center is sending notification letters to affected patients, and the California Department of Health will investigate the incident."