Six businesses in Rhode Island have been involved in health data security breaches that have affected over 30,000 individuals since 2010, according to data maintained by the U.S. Department of Health and Human Services' Office for Civil Rights.
CVS Caremark, The Kent Center, Landmark Medical Center, Rite-Aide, Women and Infants, and Blue Cross and Blue Shield of Rhode Island (twice) each had security breaches of more than 500 people, which requires that it be reported to the Secretary of Health and Human Services under the HITECH Act.
Statue statue, however, does not require entities to tell the RI Office of the Attorney General.
"Under the state’s data breach statute, companies are not required to inform the Office of Attorney General of a data breach, but rather they are required to notify impacted customers who reside in Rhode Island," said Amy Kempe, Spokesperson for Rhode Island Attorney General Peter Kilmartin. "It is our practice to write a letter to companies that we are aware of that experienced a data breach informing them of the statute and the requirement to alert impacted customers."
Kilmartin's office recently warned Rhode Islanders of a data breach affected nearly 80 million customers of Anthem, Inc., the parent company of Anthem Blue Cross and Blue Shield in Connecticut. The Blue Cross and Blue Shield System consists of 37 independently operated Blue Cross and Blue Shield member companies. "Blue Cross Blue Shield of Rhode Island (BCBSRI) and Anthem Inc. are separate and distinct companies, though through various collaborative agreements some information on members could have been affected," said Kilmartin's office.
"Be suspicious of any phone calls or emails claiming to be from Anthem Inc. asking to confirm account information, social security number or other personal identifiable information," said Kilmartin. "Calls or emails claiming to provide information about the breach may be scams."
"Until recently, the most common culprits in health data breaches have been lost or stolen unencrypted computing devices, such as laptops. However, hacking attacks on healthcare companies are increasing. The biggest health data breach to date appears to be the recent hacking attack on Anthem Inc., which the company says affected 78.8 million individuals. There was also a major hacking attack on Community Health Systems last August, an incident which affected 4.5 million patients," said Marianne Kolbasuk McGee, Executive Editor of the Information Security Media Group.
As for what individuals should do who are impacted by a breach, McGee offered the following.
"Individuals affected by health data breaches should take advantage of the credit monitoring and fraud protection services that many healthcare organizations make available for free following a breach. It’s important to monitor your credit records for unusual, suspicious activity that might indicate that your identity (name, Social Security number, etc.) is being used unlawfully by others," said McGee. "But remember: Following a breach, most organizations will offer free credit monitoring/fraud protection for a year, maybe two years. However, ID theft and fraud could potentially occur after that free credit monitoring ends."
On February 27, Pro Publica in conjunction with NPR wrote about the lack of fines levied against the companies involved in breaches, in a piece entitled, "Fines Remain Rare Even As Health Breaches Multiply."
"Since October 2009, health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people," wrote ProPublica's Charles Ornstein.
"In some cases, records were on laptops stolen from homes or cars. In others, records were targeted by hackers. Sometimes, paper records were forgotten on trains or otherwise left unattended," wrote Ornstein. "Yet, over that time span, the Office for Civil Rights has fined health care organizations just 22 times."
Related Slideshow: Health Data Security Breaches Reported in RI Since 2010
The following are health data breach reports from Rhode Island as listed on the Department of Health and Human Services Office of Civil Rights website.
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.
On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected member's claim history to ensure no fraud.
"This involved the theft of a pharmacy log book from one of our stores in Columbia, South Carolina back in October 2012. We submitted a report to the OCR in compliance with their reporting requirements. The information in the log book stolen from our Columbia, SC store did not contain any medication, credit card, debit card or bank account information," said CVS Director of Public Relations Mike DeAngelis. "At the time, we sent a notice to patients in Columbia whose information was contained in the log book about the theft. There were no fines associated with this theft. CVS has since moved to an electronic verification system in our pharmacies and we no longer use a paper log book."
The Kent Center in Rhode Island reported that paper records of 1,361 patients were stolen in July. In a notification linked from the homepage of their web site, they write, in part:
On July 13, 2010, a briefcase was stolen from the car of one of our clinicians. Documents in the briefcase included client names, dates of birth, and for some clients involved in the court system, limited clinical information. This did not affect all of the clients we have ever treated and the individuals it did affect have been sent written notifications. We learned about this incident the same day and it has been reported to the Providence Police Department. The briefcase resembled a laptop carrying case and we have no reason to believe the documents in the briefcase were the target of the theft. Other items in the car were stolen and the police informed our employee that there were several car break-ins on the same night in the area.
No financial information, such as social security numbers, addresses, insurance information, guarantor information, credit or debit card information or bank account numbers were included in the documents contained in the briefcase.
On Feb. 8, 2013, Rite Aid Store No. 10217 located at 236 County Rd. in Barrington, RI, determined that a few boxes containing prescription records were found to be missing during a review of the stores’ records. An exhaustive search of the store was conducted and an investigation was completed to determine what happened to the records, but despite our efforts, the boxes could not be found.
It is important to note that the hard copy prescriptions missing from Rite Aid Store No. 10217 do not contain any credit card numbers or social security numbers. There is no evidence to support that any customer information has been misused. As a precaution, the company has engaged the world’s leading risk consulting company Kroll Inc., to alert impacted customers via a letter of notification and share with them the proactive measures it has taken to guard against identity theft. Customers who did not receive a notification letter were likely not affected. No files from any other Rite Aid store were involved.
A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included member's names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above.
Women & Infants Hospital announced that on September 13, 2012, the hospital discovered that unencrypted backup tapes containing ultrasound images from two of its ambulatory sites located at 79 Plain Street in Providence, RI and 67 Brigham Street in New Bedford, MA were missing. The hospital immediately began an investigation and conducted a thorough search of its facilities but has been unable to locate the backup tapes.
The backup tapes contained ultrasound studies dating from 1993 to 1997 in Providence and from 2002 to 2007 in New Bedford and included patient names, dates of birth, dates of exam, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers.
.png)
_80_80_c1.png)
