Business_Associate_Breaches_March_2012
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHI
1
Name of Covered EntityStateBusiness Associate InvolvedIndividuals AffectedDate of BreachType of BreachLocation of
Breached
Information
Date Posted or UpdatedSummary
4
Department of Medical Assistance ServicesVAACS, Affiliated Computer Services, Inc.1,44411/02/2011 - 11/16/2011Unauthorized Access/DisclosurePaper2/24/12
29
Advanced Occupational Medicine SpecialistsIL Blue Vantage Group7,22610/12/11Unauthorized Access/DisclosureNetwork Server1/10/12
37
TRICARE Management Activity (TMA)VAScience Application International Corporation (SAI)4,901,4329/13/11Loss Other (Backup Tapes)11/4/11
42
Open MRI of ChicagoIL Nation Wise Machine Buyers2,0009/6/11Improper DisposalPaper1/10/12
55
Ashley Industrial Molding, Inc. Employee Welfare Benefit PlanINAssureCare Risk Management, Inc.5068/9/11Hacking/IT IncidentNetwork Server
59
Mutual of Omaha Insurance CompanyNEFuturity First Insurance Group7057/28/11TheftOther Portable Electronic Device
60
United of Omaha Life Insurance CompanyNEFuturity First Insurance Group1,6317/28/11LossOther Portable Electronic Device
61
United Health Group Health PlanMNFuturity First Insurance Group3,9947/28/11TheftOther Portable Electronic Device
62
American Continental Insurance CompanyTNFuturity First Insurance Group6907/28/11TheftOther Portable Electronic Device11/4/11
64
North MemorialMNAccretive Health, Inc2,8007/25/11TheftLaptop
65
Fairview Health ServicesMNAccretive Health, Inc14,0007/25/11TheftLaptop
67
University of Wisconsin OshkoshWILiving Healthy Community Clinic3,0007/18/11Hacking/IT IncidentDesktop Computer,
78
Clara Maass Medical Center                     NJMed Assets8,7956/24/11TheftOther Portable Electronic Device
79
Community Medical Center                     NJMed Assets6,9506/24/11TheftOther Portable Electronic Device
80
Kimball Medical Center                            NJMed Assets6,7856/24/11TheftOther Portable Electronic Device
81
Monmouth Medical Center                       NJMed Assets6,4436/24/11TheftOther Portable Electronic Device
82
Newark Beth Israel Medical Center         NJMed Assets15,0156/24/11TheftOther Portable Electronic Device
83
Saint Barnabas Medical Center                NJMed Assets6,1796/24/11TheftOther Portable Electronic Device
84
Cook County Health & Hospitals SystemILMed Assets32,0086/24/11TheftOther Portable Electronic Device
86
Texas Health Presbtyerian Hospital Flower MoundTXTexas Health Partners10,3456/21/11TheftLaptop
90
Ohio Health PlansOHArea Agency on Aging, Ohio District 578,0426/3/11Theft Laptop
91
Sutter Gould Medical Foundation (SGMF)CAFidelity National Technology Imaging (FNTI)1,1925/23/11LossPaper
95
Gypsum Management and Supply, Inc. Medical and Dental PlanGAAssureCare Risk Management, Inc.25,3305/9/11Unauthorized Access/DisclosureNetwork Server
99
New York State Department of HealthNYSt. Mary's Hospital for Children5504/17/11TheftPaper
105
Medicare Fee-for-Service ProgramMDCahaba Government Benefit Administrators, LLC13,4124/11/11Unauthorized Access/Disclosure Paper
117
Concordia Plan Services (CPS)MOHITS Scanning Solutions, Inc.7,0593/17/11LossOther11/18/11
124
Windsor Health PlanTNRxAmerica1,3783/1/11Unauthorized Access/DisclosurePaper
135
Charleston Area Medical Center, IncWVXforia Web Services36552/8/11Unauthorized Access/DisclosureNetwork Server
138
Catholic Social ServicesAKTrisha Elaine Cordova17002/1/11TheftLaptopA personal laptop computer was stolen from a contractor’s vehicle. The laptop computer contained approximately 493 adoption home studies/ the protected health information of 1700 individuals. The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driver’s license numbers, and health information; 20% of the files contained social security numbers. The covered entity did not have a business associate contract with the contractor at the time of the breach. OCR’s investigation resulted in the covered entity developing policies and procedures for obtaining business associate contracts when required by the Privacy Rule and verifying that the contractor involved was not an independent covered entity.
142
Health Net, Inc.CAIBM19000001/21/11UnknownOther
144
Green River District Health DepartmentKYIntragenetics18,8711/12/11Hacking/IT IncidentNetwork Server
145
University of Missouri Health PlanMOCoventry Health Care, Inc.7651/10/11Unauthorized Access/DisclosurePaper
147
Molina MedicareCARxAmerica4,5731/1/11Unauthorized Access/DisclosurePaper
150
New York City Health & Hospitals Corporation's North Bronx Healthcare NetworkNYGRM Information Management Systems170000012/23/10TheftElectronic Medical Record, Other
160
Osceola Medical Center WIHils Transcription50011/25/10Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork Server
168
Blue Cross Blue Shield MichiganMIAgent Benefits Corporation297911/17/10Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork Server
177
Indiana Family and Social ServicesINThe Southwestern Indiana Regional Council on Aging75711/9/10TheftLaptop
182
International Union of Operating Engineers Health and Welfare FundMDZenith Administrators, Inc,80011/3/10TheftPaper
195
Triple-S Salud, Inc.PRTriple-C, Inc.800010/3/10Theft, Unauthorized Access/DisclosureNetwork Server12/10/10
201
Ochsner Health SystemLAH.E.L.P. Financial Corporation94759/27/10Unauthorized Access/DisclosurePaper12/10/10A programming error in a business associate’s IT system caused the PHI of patients to be printed on letters sent to other patients. The printing error affected approximately 9475 individuals.The protected health information involved in the breach included patient names, medical record numbers and account balances. Following the discovery of the breach, the BA corrected the programming error and implemented additional quality checks. Additionally, the BA notified the affected individuals and the CE notified the local media.
203
Puerto Rico Department of HealthPRTriple-S Management, Corp.; Triple-S Salud, Inc.4000009/21/10Unauthorized Access/Disclosure, Hacking/IT IncidentNetwork Server11/19/10
211
Triple-S Salud, Inc.PRTriple-C, Inc.3980009/9/10TheftNetwork Server12/10/10
212
Stanford Hospital & ClinicsCAMulti-Speciality Collection Services, LLC19,6519/9/10Unauthorized Access/DisclosureOther
213
State of Alaska, Department of Health and Social ServicesAKAlaskan AIDS Assistance Association20009/7/10TheftOther Portable Electronic Device10/1/10
216
Puerto Rico Department of HealthPRMedical Card System/MCS-HMO/MCS Advantage/MCS Life1150009/3/10Unauthorized Access/DisclosureOther Portable Electronic Device12/2/10
221
State of Delaware Health PlanDEAon Consulting226428/16/10Unauthorized Access/DisclosureNetwork Server9/20/10The business associate prepared a document as part of a request for proposal for the covered entity’s vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information. In response to this incident, the covered entity implemented additional safeguards to prevent this type of impermissible disclosure of protected health information. In particular, the covered entity will now require several layers of review before allowing public disclosure of documents prepared by the business associate. The covered entity also took steps to enforce the requirements of its business associate agreement with Aon Consulting. Aon will provide affected individuals with free credit monitoring, fraud resolution resources, and identity theft insurance. Additionally, the business associate has provided assurances to the covered entity that it has taken steps to prevent this type of impermissible disclosure in the future.
225
Alliance HealthCare Services, Inc.CAEden Medical Center14748/5/10LossOther Portable Electronic Device10/7/10Two USB storage devices containing ePHI of 1,474 individuals was lost. The USB storage devices contained 1,474 individuals’ ePHI.The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices.
229
Alliance HealthCare Services, Inc.CAOroville Hospital14697/31/10LossOther Portable Electronic Device10/7/10Two USB storage devices containing ePHI of 1,469 individuals was lost. The ePHI included first and last name, date of birth, and treatment information. As a result of the breach, the covered entity's email will now be password protected and encrypted. As a result of the loss, the CE has initiated an encryption project to encrypt external hard drives and related media. Additionally, the CE filed a police report, changed policies and procedures, and encrypted USB devices.
236
Milton Pathology Associates, P.C.MAGoldthwait Associates110007/26/10Improper DisposalPaper10/5/10
247
UnitedHealth Group--SACEMNCareCore National12707/8/10Unauthorized Access/DisclosurePaper10/7/10
254
Humana Inc.KYMatrix Imaging26316/25/10Unauthorized Access/DisclosurePaper8/18/10The covered entity’s business associate, Matrix Imaging, which was contracted to send out coverage
determination letters to Humana customers, sent the letters to incorrect addresses. Approximately 2,631
individuals were affected by the coverage determination letters being misrouted. Following the breach, the covered entity reprinted all erroneous coverage determination letters with an apology notice; implemented a process for the business associate to increase the timing for the quality assurance process to identify and suppress bad addresses; implemented additional manual quality controls and verification after the enveloping process with the business associate; and among other things, established an identification code printed on each letter that links the Member Address file to the actual printed letter. As a result of OCR’s investigation, the covered entity placed a record into its accounting of disclosure records for each member impacted, and the accounting records for all 2,631 individuals have been updated to reflect the disclosures.
257
John Deere Health Benefit Plan for Wage EmployeesILUnitedHealth Insurance Company10976/24/10Unauthorized Access/DisclosurePaper7/22/10
272
Walsh PharmacyMAMcKesson Pharmacy Systems LLC114406/3/10LossOther Portable Electronic Device8/18/10
281
Department of Health Care Policy & FinancingCOGovernor's Office of Information Technology1054705/17/10TheftComputer7/22/10
286
Saint Barnabas Medical Center NJKPMG LLP36305/10/10LossOther Portable Electronic Device9/10/10
287
Newark Beth Israel Medical CenterNJKPMG LLP9565/10/10LossOther Portable Electronic Device9/10/10
290
University HospitalGAAugusta Data Storage, Inc.140005/7/10LossOther7/12/10
293
Sinai Hospital of Baltimore, Inc.MDAramark Healthcare Support Services, Inc.9375/3/10Unauthorized Access/DisclosureE-mail7/1/10A business associate employee sent an email to multiple patients without concealing patient email addresses. The message concerned a dietary program in which the names and email addresses were visible to all recipients. The breach affected 937 individuals. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Aramark. The business associate counseled the employee responsible for the breach and retrained all employees who may communicate with patients via email on the requirements of the Privacy and Security Rules as well as related policies and procedures.
297
California Department of Healthcare ServicesCACare 1st Health Plan298084/29/10LossOther Portable Electronic Device7/12/10
300
Veterans Health AdministrationDCHeritage Health Solutions6564/22/10TheftLaptop5/19/10A laptop was stolen from an employee of the business associate. The computer contained the protected health information (PHI) of 656 individuals. The PHI involved in the breach included names, social security numbers, dates of birth, and medication information. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with Heritage Health. The business associate installed encryption software on all employee computers, strengthened access controls including passwords, reviewed and updated security policies and procedures, and made improvements to the physical security of the building. In addition, the responsible employee was counseled, and all employees received additional security training.
310
Trinity Health Corporation Welfare Benefit PlanMIMercer Health & Benefits10733/29/10LossOther8/4/10Trinity Health Corporation Welfare Benefit Plan’s business associate, Mercer Health & Benefits (Mercer) lost a server backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Trinity Health was about 1,073 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Trinity Health notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer’s Boise office now encrypts backup tapes. Trinity Health has not had a business relationship with Mercer for many years and Mercer currently does not store any original PHI belonging to Trinity Health.
311
Idaho Power Group Health PlanIDMercer Health & Benefits55003/29/10LossOther8/20/10Idaho Power Group Health Plan's business associate, Mercer Health and Benefits, lost a backup tape as it was being sent via FEDEX from Boise to Seattle. The backup tape contained information of about 375,000 individuals that Mercer serviced. The total affected at Idaho Power was about 5,500 current and former employees and their dependents. The protected health information involved included names, addresses, dates of birth, and social security numbers. Although Mercer concluded that the lost tape was configured so that even a sophisticated user would be unlikely to be able to access the data within, both Mercer and Idaho Power notified all possible affected individuals and offered free credit protection services. To prevent a similar breach from occurring in the future, Mercer now stores backup tapes through a third party vendor who offers secure transport services. Mercer's Boise office now encrypts backup tapes. Following the incident, Idaho Power renegotiated its contract with Mercer and continues to evaluate its business relationship with Mercer.
315
Lincoln Medical and Mental Health CenterNYSiemens Medical Solutions, USA, Inc.1304953/24/10LossOther6/29/10
316
State of New Mexico Human Services Department, Medical Assistance DivisionNMDentaQuest96003/20/10TheftLaptop5/19/10The business associate's contractor left a laptop in a car. The car was stolen with the laptop containing protected health information of approximately 9,600 individuals. The EPHI involved in the breach included names, social security numbers, and demographic information. Following the breach, CE encrypted all laptops that contained PHI.
317
TennCareTNDentaQuest105153/20/10TheftLaptop6/11/10
319
Beatrice Community Hospital and Health CenterNEMcKesson Information Solutions, LLC6603/19/10Unauthorized Access/DisclosurePaper4/29/10
327
Utah Department of HealthUTUtah Department of Workforce Services12983/1/10Unauthorized Access/DisclosureComputer, Paper10/18/10
328
Emergency Healthcare Physicians, Ltd.ILMillennium Medical Management Resources, Inc.1801112/27/10TheftOther Portable Electronic Device5/5/10
329
South Shore HospitalMAIron Mountain Data Products, Inc. (now known as Archive Data Solutions, LLC)8000002/26/10LossOther Portable Electronic Device, Electronic Medical Record, Other7/21/10
340
Reliant Rehabilitation Hospital North HoustonTXComputer Program and Systems, Inc. (CPSI)7632/9/10Unauthorized Access/DisclosureE-mail4/20/10
342
General Agencies Welfare Benefits ProgramTNTowers Watson18742/5/10LossOther5/5/10
346
MMM Health Care Inc.NYMSO of Puerto Rico, Inc.19072/4/10Unauthorized Access/DisclosurePaper3/4/10
347
PMC Medicare ChoiceNYMSO of Puerto Rico, Inc.6052/4/10Unauthorized Access/DisclosurePaper3/4/10In its breach report and during the course of OCR’s investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach may pose a significant risk of financial, reputational, or other harm to the 1,907 patients. The covered entity sent notification letters to the affected 1,907 patients apologizing for the breach. In addition, the covered entity had a radio advertisement played on the Radio Isla Radio Station in Puerto Rico on February 14, 2010 The covered entity implemented a corrective action plan in which the Health Services Department established a quality control process in order to ensure that letters that are sent by mail have the correct mailing address. In addition, the covered entity created and implemented a new policy and procedure which the Production Services Department will require a form to be completed when a print or mail job is requested. The covered entity also issued a directive from the Vice President of Member Services to all Production Services Department staff regarding the need to verify emails with the requesters and to request confirmation from requesters prior to proceeding with the mailing of each print job. Further, on February 19, 2010, the covered entity provided training to all staff on the newly revised policies and procedures
348
City of Charlotte Health PlanNCTowers Watson52202/3/10LossOther6/3/10
361
Newark Beth Israel Medical CenterNJProfessional Transcription Company, Inc.17441/1/10Unauthorized Access/DisclosureNetwork Server12/10/10
363
Educators Mutual Insurance Association of UtahUTHealth Behavior Innovations570012/27/09TheftOthers (CDs)3/4/10
370
Brown UniversityRIBlue Cross Blue Shield of Rhode Island52812/11/09Unauthorized Access/DisclosurePaper3/4/10On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University’s health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected members’ claim history to ensure no fraud.
372
Blue Island Radiology ConsultantsILUnited Micro Data256212/9/09LossOther (Backup Tapes)2/22/10The business associate mailed a package to the covered entity that was supposed to contain a backup data tape and compact disc (CD) containing protected health information, but the tape and the CD were not in the package. Approximately 2,000 individuals were affected by the breach. Individual demographic, financial and clinical information was included in the protected health information. The covered entity provided written notice and an apology to affected individuals, provided them with details of the incident, described ways for these individuals to protect themselves from identity theft and provided a toll-free telephone number for the individuals to call if they had additional questions. Following the breach, the covered entity continues to backup data on tapes, but it now stores the tapes in a safe deposit box instead of sending them via the mail.
373
Keith W. Mann, DDS, PLLCNCRick Lawson, Professional Computer Services200012/8/09Hacking/IT IncidentComputer, Network Server, Electronic Medical Record2/22/10
382
Universal AmericanNYDemocracy Data & Communications, LLC8300011/12/09Unauthorized Access/DisclosurePaper2/22/10In its breach report and during the course of OCR’s investigation, the covered entity advised that it took various corrective actions to prevent a reoccurrence of the breach. Specifically, the covered entity conducted a risk assessment which revealed that the breach posed a significant risk of financial, reputational, or other harm to the 83,000 members. The covered entity sent notification letters to 83,000 members apologizing for the breach and offered a year of free credit monitoring and a $25,000 insurance policy against identity theft ($10,000 for New York residents). The covered entity also provided training to its call centers on November 29, 2009 to answer inquiries from callers concerned about the breach. In addition, media outlets were contacted to alert of a breach in states in which more than 500 members were impacted by the breach. The covered entity advised that media outlets were identified based on location of membership impacted, as well as ensuring it was a major media outlet and press releases were sent to 21 major media outlets on December 18, 2009. The covered entity also created and implemented a new policy titled “Personal Health Information and Personal Identifiable Information Data Security and Handling Policy Acknowledgement Form” that centralized all data requests through a “Team Track” which is an internal electronic submission request that ensures all PHI requested data receives the sign off of the Privacy Officer and Security Officer prior to release. Further, the covered entity also provided a mandatory annual computer-based training to all staff in May 2010.
383
Omaha Construction Industry Health and Welfare PlanNEDeBoer & Associates80011/11/09TheftLaptop6/4/10
389
Blue Cross Blue Shield AssociationDCService Benefits Plan Administrative Services Corp.340010/26/09Unauthorized Access/DisclosurePaper (Mailing)2/22/10The business associate incorrectly updated the contract holders’ addresses resulting in the mailing of protected health information to incorrect recipients. The breach affected approximately 3,400 members. The protected health information involved included demographic information, EOBs, clinical information, and diagnoses. In response to this incident, the covered entity took steps to enforce the requirements of its business associate agreement with SBP. The business associate improved its code review process to catch the system error that caused this incident and instituted a manual quality review process designed to identify bad addresses.
394
Cogent Healthcare of Wisconsin, S.C.TNCogent Healthcare, Inc.640010/11/09TheftLaptop2/22/10
396
Blue Cross Blue Shield AssociationDCMerkle Direct Marketing1500010/7/09Unauthorized Access/DisclosurePaper 2/22/10
408
Pinnacle Health SystemPAGair Medical Transcription Services, Inc.10859/23/09Unauthorized Access/DisclosureNetwork Server1/4/11Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians. In response to this incident, the covered entity took steps to enforce the requirements of the Privacy & Security Rules. The covered entity immediately discontinued its relationship with the business associate and engaged another medical transcription service. The covered entity also contracted with forensic consultants to ensure that the cause of the compromise was found that that all traces of breached medical reports were removed from online and inaccessible in the future.
411
412
19,159,770
Loading...
Main menu