Security Breach Notification

 A New England hospital has reported the disappearance of backup tapes containing ultrasound images and personal data of 14,000 patients. How do you handle a data loss when you don’t have any way of determining where the data went or who may have seen it?  Is it still a “breach” in the technical sense?

These questions

Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services the sum of $1.5 million to settle potential violations involving an alleged 2010 security breach of PHI under HIPAA. However, relatively little has been written that the 2010 breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.
Continue Reading

Within the last week, The Boston Globe has reported that venerable Boston Children’s Hospital, the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach that occurred in Buenos Aires, Argentina.
Continue Reading

On March 30, 2012, a large data security breach, which has not yet been posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI, was experienced by the Utah Department of Technology Services on a computer server that stores Medicaid and Children’s Health Insurance Program claims data.
Continue Reading

On February 24, 2012, HHS posted number 400 on its ever-lengthening list of breaches of unsecured PHI affecting 500 or more individuals. Theft of laptops is a recurrent source of such breaches, and the 400th breach was such an incident affecting Triumph, LLC in North Carolina.
Continue Reading