University of Rochester

In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches.  The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which posts large breaches of unsecured PHI incidents affecting 500 or more individuals.  The HHS List now reveals that URMC reported a third large security breach that occurred on February 15, 2013 (the “2013 Breach”). The HHS List reveals that 537 individuals were affected by a URMC loss of an “other portable electronic device.”  There are several interesting aspects about the 2013 Breach.

First, this blog series earlier observed that URMC apparently determined that it was not necessary or appropriate to publish its PHI breaches in 2010 in the URMC Newsroom or elsewhere on the URMC website.  Our later post reported a reader’s comment that the second breach of URMC in 2010 could be located with some effort on the general University of Rochester website.  In contrast, however, the 2013 Breach was prominently published by URMC on May 3, 2013 in the URMC Newsroom and can be found in the 2013 archives.

Apparently a URMC resident physician misplaced a USB computer flash drive that carried PHI and which was used to transport information used to study and continuously improve surgical results. The information was copied from other files and, therefore, the Medical Center believes its loss will not affect follow-up care for any patients.  Additionally, the URMC posting observed that “after an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry.”

According to the URMC posting,

The flash drive included the patients’ names, gender, age, date of birth, weight, telephone number, medical record    number (a number internal to URMC), orthopaedic physician’s name, date of service, diagnosis, diagnostic study, procedure, and complications, if any. No address, social security number or insurance information of any patient was included.

It is refreshing that URMC has given the public notice of the 2013 Breach on its website.  Significantly, URMC also disclosed its development of new policies for the use of smart phones, iPads and other mobile devices to safeguard protected health information. In addition, URMC is retraining users of its PHI and encouraging its physicians and staff to access sensitive patient information using its secure network rather than via portable devices.

One puzzling aspect of URMC’s actions is that its notifications to affected individuals and the posting by the Medical Center did not occur until the week of April 28, 2013. This is clearly past the date required by HHS.  HHS requires that notifications be made “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”  Sixty days after the breach discovery on February 15, 2013 would have been April 16, 2013.

It is clear that the proliferation of mobile devices has geometrically expanded the potential for lost or improperly accessed PHI.  Even the most carefully planned and communicated policies cannot assure the protection of PHI from inappropriate compromise, whether intentional or accidental.  Moreover, the continual advancement of technology in this area at lightning speed often renders policies obsolete almost as soon as they are finalized and disseminated.  In the long run, it may make the question of the potential for a PHI breach for a covered entity, business associate or subcontractor more of a matter of “when” and “how” rather than “if.”

This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. On January 19, 2011, a blog posting was made regarding two large PHI security breaches at The University of Rochester Medical Center (“URMC” or the “medical center”) in 2010 (the “2010 Breaches”). The posting reported that a review of the URMC website revealed no reference to either of the 2010 Breaches.

Shortly thereafter, I received the following comment from an anonymous “Dissent”:

 

The September 2010 breach is on their [University of Rochester (“UR”)] website.

You wouldn’t find it by searching the URMC site itself, though. I only found it by running the search on the main UR site.

The 2009 hack affecting 450 [individuals] wasn’t the medical center or PHI.

There was another 2009 incident that did involve the medical center, though, reported to the NYS CPB [New York State Consumer Protection Board]. It involved “insider wrongdoing,” but I do not know if PHI or patient data was involved or if [it] was employee data. The incident was never in the media and I never requested the report from NYS under FOI [Freedom of Information].

And yes, I think all entities should have links to disclosures prominently displayed or easy to find. 

Cheers,

/Dissent

 

I sincerely appreciate the knowledgeable information and clarification provided by Dissent. It is perplexing and somewhat illogical that the September 2010 Breach would be listed only on the UR website and not the separate comprehensive and extensive website of URMC, the institution at which the 2010 Breaches occurred. There is not even a cross-reference or link on the URMC site to the UR posting respecting the 2010 Breaches. 

 

Moreover, even with respect to the UR website, the posting respecting the September 2010 Breach should proactively inform affected individuals and the general public. The posting should not be so difficult to locate that only those who are specifically searching for the 2010 Breach with prior knowledge are likely to find it. Finally, query: why is the April 2010 Breach apparently not listed on either the UR or the URMC website?

 

As stated in my earlier blog entry, the posting of both of the 2010 Breaches on the URMC website in a reasonably prominent manner would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating large PHI security breaches. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.

This blog series  has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. The University of Rochester Medical Center (“URMC” or the “Medical Center”) joined in the parade of large PHI security breaches two times in 2010. 

The U.S. Department of Health and Human Services website, which provides a list (the “HHS List”) required by HIPAA/HITECH of large reported breaches of unsecured PHI incidents affecting 500 or more individuals, reveals that URMC had two large security breaches during 2010 (the “2010 Breaches”). The first 2010 Breach posted for URMC on the HHS List on May 28, 2010, related to 2,628 individuals from an “Unauthorized Access of Paper Records” that occurred on April 19, 2010. The second 2010 Breach posted for URMC on the HHS List on September 21, 2010 related to 857 individuals from a “Lost Portable Electronic Device” that occurred on August 2, 2010. 

 

There are several interesting aspects about the URMC events. First, like the incident at University of Tennessee Medical Center discussed earlier in this blog series, URMC apparently has determined that it is not necessary or appropriate to publish the 2010 Breaches in the URMC Newsroom or elsewhere on the URMC website.  A review of the list of 345 stories presently posted in the 2010 News Archives on the URMC website revealed no reference to either of the 2010 Breaches.  

 

It is somewhat disappointing that URMC has chosen not to communicate with its Internet community on the 2010 Breaches, as numerous other institutions with large PHI security breaches have chosen to do. It is even more puzzling in light of the fact that Peter Chesterton, MBA, the long-time Chief Privacy Officer and Chief HIPAA Security Official for URMC, has been a recognized leader and lecturer in the area of PHI security and privacy. He is also currently listed as a member of the University of Rochester Data Security Taskforce in the Office of the Provost (the “Provost Taskforce”). 

 

Mr. Chesterton lectured at the 4th Academic Medical Center Privacy and Security Conference on June 11, 2007 on the topic “Protecting PHI Shared with Private Physician Practices” and at the 5th Academic Medical Center Privacy and Security Conference on March 2, 2009 on the topic “AMC Privacy and Security: New Challenges, NewSolutions – Best Practices for Compliance.”

 

As a matter of fact Slide 23 on “Recent Developments” in Mr. Chesterton’s 2009 presentation referred to a “recent security incident.” Presumably his reference was to a January 11, 2009 data security breach, which was reported by www.identitytheft.info  as having occurred at the University of Rochester (the “2009 Breach”), that involved 450 individuals from a “Hacked Database.”

 

It is not clear that the 2009 Breach involved PHI which is covered by HIPAA/HITECH or whether it related to the University of Rochester or URMC. In any event the 2009 Breach preceded the establishment of the HHS List and would not have been reportable on the HHS List had it been PHI because fewer than 500 individuals were affected. If the 2009 Breach related to the University of Rochester and not to the Medical Center, Mr. Chesterton’s knowledge of the 2009 Breach could have come from his membership on the Provost Taskforce.

 

Clearly Mr. Chesterton is not responsible for the publication policy of the URMC website or its news postings. However, I believe that the multiple occurrences of PHI security breaches in 2010 at URMC and is a serious matter. The posting of the 2010 Breaches (and the 2009 Breach if it related to the Medical Center) on the URMC website would have demonstrated that URMC has a commitment to act responsibly and do more than what is (to borrow a phrase from HITECH in a different context) “the minimum necessary” for communicating a large PHI security breach. This would accelerate the rehabilitation of confidence and relations with patients and the Medical Center’s larger constituency.