As some had predicted 2015 was the year of the healthcare hack.  PHI breaches were up dramatically, at least the ones that were reported were up.  In this episode we review some of the breaches that ended the year with a bang.

Before we start there are some shout outs we needed to do.

First, Erien Fryer of Medical Direct Care has been a supporter of our podcast from the beginning.  Thanks for all your support Erien and we appreciate the tip you shared with us so much that we shared it with everyone else!  The tip…  she keeps her ComplyAssitant page open all day so it is easy to document her privacy and security activity as she goes.  Thanks again, Erien!

Donna has been asked to be interviewed on a Business RadioX show.  The live broadcast on Jan 28th at 11am EST is when Donna joins the Atlanta’s Most Trusted Advisors show to discuss HIPAA compliance for Business Associates.  One of the Kardon Compliance clients Patientco will join her as a guest to discuss what it takes for a BA to deal with HIPAA. Tune in if you can or catch the show on the web or iTunes later.


PHI Breaches were a big deal in 2015

2015 was the year of the breach, at least in healthcare.

Dec 2015 there were 22 breaches of greater than 500 reported. Totals 84,324 patients.  The HHS Wall of Shame for 2015 lists 264 breaches over 500 with 112,993,215 (Anthem)

OCR has said clearly that any breach over 500 patients WILL be investigated. Period.

Let’s look at some of the PHI breaches in December 2015.

12/11 Mary Ruth Buchness, N.Y., 14,910 people affected
Email accident Mary Ruth Buchness, a dermatologist practicing in New York City, accidentally emailed a list of nearly 15,000 patient names and corresponding addresses, appointment dates and Social Security numbers.

12/02 University of Colorado Health, Co. 827 people affected.
Snooping A nurse at Poudre Valley Hospital was fired for viewing patients’ medical records out of personal curiosity, the Coloradoan reported.  University of Colorado Health, which operates PVH and Medical Center of the Rockies in Loveland, has notified patients that an employee inappropriately accessed their electronic medical records.

12/01: Cottage Health, CA, affected 11,000 people
Hack In a statement, Cottage Health officials said limited information from as many as 11,000 patients was exposed.
“Cottage Health recently hired a team of cyber security experts to test our data systems,” the statement said. “This team discovered a single server that was exposed. We immediately shut down this server and began an investigation.”

12/01: Centegra Health System, Il, affected 2,929 people.
Mailing A mailing snafu by a BA may have exposed personal information of patients. An error was made configuring the equipment used to prepare the mailing so each envelope had two statements – the right one and the next one too

12/03 Blue Cross Blue Shield of Nebraska, 1,872 people affected
Mailing Blue Cross and Blue Shield of Nebraska notified beneficiaries that a printing error caused some dental explanation of benefits forms to be sent to the wrong customers. The forms revealed treatment and services that the insurer paid for their insured.

12/4 Middlesex Hospital, CT, 946 people affected
Phishing Middlesex Hospital has notified patients of a data breach when four of its employees were victims of a phishing scam that enabled hackers to get into hospital records compromising patient information.

David’s prediction for 2016: Business Associates will be on the single biggest problem with causing breaches for businesses.

“Nobody can say they didn’t know about #HIPAA anymore.”

Next, Portland, OR Northwest Primary Care 5,372 people
Employee Theft Northwest Primary Care is notifying patients of a data breach when a former employee stole patient information.

Cottonwood Comfort Dental Albuquerque, NM Unknown
Flying Paper Thousands of dental records from Cottonwood Comfort Dental were found scattered all over a New Mexico freeway. The paperwork contained addresses, insurance information and Social Security numbers.
The dental company said that they have their paperwork shredded and is now investigating the incident.

Radiology Regional Center Fort Meyers, FL Unknown
Flying Paper Hundreds of medical records belonging to Radiology Regional Center were found scattered on the roads in Fort Myers Florida.

  • The records included financial information on accounts, old phone bills invoice and registration information typically given at the front desk.
  • It appears that the container that the documents were in that were being collected for destruction by the county, opened and the papers flew out of the truck.

The high number of PHI breaches in 2015 continues to add to the evidence all around that you need to be doing this stuff already not next month or next year.  You can no longer say you didn’t know or you didn’t understand.  You don’t want one of these huge PHI breaches to be the moment you wish you had taken the time to make it important for your business.

“One of the things we’re trying to do is get your #breaches down.”