30,000 Rhode Islanders Hit by Health Data Breaches
Kate Nagle, GoLocal Contributor
30,000 Rhode Islanders Hit by Health Data Breaches
CVS Caremark, The Kent Center, Landmark Medical Center, Rite-Aide, Women and Infants, and Blue Cross and Blue Shield of Rhode Island (twice) each had security breaches of more than 500 people, which requires that it be reported to the Secretary of Health and Human Services under the HITECH Act.
SLIDES: See the Security Breaches BELOW
GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLASTStatue statue, however, does not require entities to tell the RI Office of the Attorney General.
"Under the state’s data breach statute, companies are not required to inform the Office of Attorney General of a data breach, but rather they are required to notify impacted customers who reside in Rhode Island," said Amy Kempe, Spokesperson for Rhode Island Attorney General Peter Kilmartin. "It is our practice to write a letter to companies that we are aware of that experienced a data breach informing them of the statute and the requirement to alert impacted customers."
Kilmartin's office recently warned Rhode Islanders of a data breach affected nearly 80 million customers of Anthem, Inc., the parent company of Anthem Blue Cross and Blue Shield in Connecticut. The Blue Cross and Blue Shield System consists of 37 independently operated Blue Cross and Blue Shield member companies. "Blue Cross Blue Shield of Rhode Island (BCBSRI) and Anthem Inc. are separate and distinct companies, though through various collaborative agreements some information on members could have been affected," said Kilmartin's office.
"Be suspicious of any phone calls or emails claiming to be from Anthem Inc. asking to confirm account information, social security number or other personal identifiable information," said Kilmartin. "Calls or emails claiming to provide information about the breach may be scams."
Addressing the Issue
As for what individuals should do who are impacted by a breach, McGee offered the following.
"Individuals affected by health data breaches should take advantage of the credit monitoring and fraud protection services that many healthcare organizations make available for free following a breach. It’s important to monitor your credit records for unusual, suspicious activity that might indicate that your identity (name, Social Security number, etc.) is being used unlawfully by others," said McGee. "But remember: Following a breach, most organizations will offer free credit monitoring/fraud protection for a year, maybe two years. However, ID theft and fraud could potentially occur after that free credit monitoring ends."
On February 27, Pro Publica in conjunction with NPR wrote about the lack of fines levied against the companies involved in breaches, in a piece entitled, "Fines Remain Rare Even As Health Breaches Multiply."
"Since October 2009, health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people," wrote ProPublica's Charles Ornstein.
"In some cases, records were on laptops stolen from homes or cars. In others, records were targeted by hackers. Sometimes, paper records were forgotten on trains or otherwise left unattended," wrote Ornstein. "Yet, over that time span, the Office for Civil Rights has fined health care organizations just 22 times."
Health Data Security Breaches Reported in RI Since 2010
#7
Blue Cross Blue Shield of Rhode Island (RI)
Individuals Affected: 528
Breach Submission Date: 2/16/10
Type of Breach: Other
Location of Breached Information: Paper/Films
Notes:
On January 5, 2010, BCBSRI was notified that a 16 page report pertaining to Brown University's health plan was impermissibly disclosed to two other BCBSRI agents. The reports contained the PHI of approximately 528 individuals. The PHI involved: first and last names, dates of service, cost of medical care provided, and member identification numbers. Following the breach, BCBSRI recovered the reports, received written assurances that any electronic copies of the reports were deleted, notified affected individuals of the breach, implemented new procedure for all outgoing correspondence, and is in the process of auditing all affected member's claim history to ensure no fraud.
#6
Landmark Medical Center (RI)
Individuals Affected: 683
Breach Submission Date: 11/30/12
Type of Breach: Theft
Location of Breached Information: Laptop
Notes: N/A
#5
CVS Caremark (RI)
Individuals Affected: 955
Breach Submission Date: 10/26/12
Type of Breach: Theft
Location of Breached Information: Paper/Films
Notes:
"This involved the theft of a pharmacy log book from one of our stores in Columbia, South Carolina back in October 2012. We submitted a report to the OCR in compliance with their reporting requirements. The information in the log book stolen from our Columbia, SC store did not contain any medication, credit card, debit card or bank account information," said CVS Director of Public Relations Mike DeAngelis. "At the time, we sent a notice to patients in Columbia whose information was contained in the log book about the theft. There were no fines associated with this theft. CVS has since moved to an electronic verification system in our pharmacies and we no longer use a paper log book."
#4
The Kent Center (RI)
Individuals Affected: 1361
Breach Submission Date: 9/10/10
Type of Breach: Theft
Location of Breached Information: Paper/Films
Notes:
The Kent Center in Rhode Island reported that paper records of 1,361 patients were stolen in July. In a notification linked from the homepage of their web site, they write, in part:
On July 13, 2010, a briefcase was stolen from the car of one of our clinicians. Documents in the briefcase included client names, dates of birth, and for some clients involved in the court system, limited clinical information. This did not affect all of the clients we have ever treated and the individuals it did affect have been sent written notifications. We learned about this incident the same day and it has been reported to the Providence Police Department. The briefcase resembled a laptop carrying case and we have no reason to believe the documents in the briefcase were the target of the theft. Other items in the car were stolen and the police informed our employee that there were several car break-ins on the same night in the area.
No financial information, such as social security numbers, addresses, insurance information, guarantor information, credit or debit card information or bank account numbers were included in the documents contained in the briefcase.
Source: PHIPrivacy.net
#3
Rite-Aid (RI)
Individuals Affected: 2082
Breach Submission Date: 3/29/13
Type of Breach: Other
Location of Breached Information: Paper/Film
Notes:
On Feb. 8, 2013, Rite Aid Store No. 10217 located at 236 County Rd. in Barrington, RI, determined that a few boxes containing prescription records were found to be missing during a review of the stores’ records. An exhaustive search of the store was conducted and an investigation was completed to determine what happened to the records, but despite our efforts, the boxes could not be found.
It is important to note that the hard copy prescriptions missing from Rite Aid Store No. 10217 do not contain any credit card numbers or social security numbers. There is no evidence to support that any customer information has been misused. As a precaution, the company has engaged the world’s leading risk consulting company Kroll Inc., to alert impacted customers via a letter of notification and share with them the proactive measures it has taken to guard against identity theft. Customers who did not receive a notification letter were likely not affected. No files from any other Rite Aid store were involved.
#2
Blue Cross Blue Shield of Rhode Island (RI)
Individuals Affected: 12,000
Breach Submission Date: 4/21/10
Type of Breach: Theft
Location of Breached Information: Paper/Films
Notes:
A covered entity (CE) donated a file cabinet containing the protected health information (PHI) of 12,000 individuals before cleaning it out. The PHI included member's names, addresses, telephone numbers, social security numbers, and Medicare identification numbers. The covered entity (CE) provided breach notification to HHS, the affected individuals, and media, and offered all affected individuals free credit monitoring for a period of one year. Following the breach, the CE sanctioned the employees involved in the incident and held a mandatory training regarding the HIPAA Privacy and Security Rule for all departments involved in the breach. The CE also revised the policy for office moves. OCR obtained assurances that the CE implemented the corrective action listed above.
#1
Woman and Infants Hospital of Rhode Island (RI)
Individuals Affected: 14,004
Breach Submission Date: 11/5/12
Type of Breach: Loss
Location of Breached Information: Other
Notes:
Women & Infants Hospital announced that on September 13, 2012, the hospital discovered that unencrypted backup tapes containing ultrasound images from two of its ambulatory sites located at 79 Plain Street in Providence, RI and 67 Brigham Street in New Bedford, MA were missing. The hospital immediately began an investigation and conducted a thorough search of its facilities but has been unable to locate the backup tapes.
The backup tapes contained ultrasound studies dating from 1993 to 1997 in Providence and from 2002 to 2007 in New Bedford and included patient names, dates of birth, dates of exam, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers.
