Healthcare Breaches Lead RoundupUSB Device Lost; Arrest in Records Sale Case
In this week's breach roundup, the University of Texas MD Anderson Cancer Center reported its second breach since April. Also, a former staff member at Florida Hospital Celebration was arrested for allegedly selling accident victims' records.
See Also: The Global State of Online Digital Trust
Cancer Center Reports 2nd Data Breach
The latest incident, which occurred in July, affected about 2,220 patients and involved a lost USB thumb drive. An April laptop theft incident affected 30,000 individuals.
In the latest breach, the Houston-based cancer center says a thumb drive containing patient data and research information was lost on one of its shuttle buses on July 13. After learning of the incident on July 14, the cancer center says it launched a search for the missing device and conducted a thorough investigation, but it did not locate the missing drive, according to a statement on its website.
Selling Records for Profit Alleged
A former staff member at Florida Hospital Celebration was arrested for allegedly inappropriately accessing more than 760,000 electronic health records with the intent to disclose, transfer or sell certain information for personal gain.
Dale Munroe, a former emergency department registration representative, accessed the records from 2009 to the third quarter of 2011, according to a criminal complaint that the Federal Bureau of Investigation filed Aug. 13.
Many of the medical records Munroe allegedly scrolled through were for individuals involved in automobile accidents, the complaint notes. And many of those patients subsequently received solicitation phone calls for attorney or chiropractor services. Investigators determined there were more than 12,000 patients that fit this description of inappropriate access to their personal health information.
University of South Carolina Server Breached
The University of South Carolina has begun notifying approximately 34,000 individuals that their personal information may have been exposed during a cyberattack on the university's College of Education server.
Information that may have been accessed includes names and Social Security numbers of certain students, alumni, employees or others associated with the College of Education. In certain cases, addresses and phone numbers were also stored with the records, according to a communications director at the university.
University officials say they immediately secured the server and added additional security measures once the breach was discovered on June 6. The university is offering affected individuals one year of free enhanced identity theft consultation from Kroll Advisory Solutions.
Children's Records Exposed
UK educational consulting firm Gabbitas reported an online breach that exposed almost 1,400 records containing sensitive information about children, according to The Telegraph.
Compromised information includes names and addresses of pupils and parents and confidential notes about the children's personalities, illnesses and learning difficulties, the news report said.
The breach stems from a database that was viewable through Google searches and was published on Gabbitas' Independent Schools Guide website. Upon learning of the data breach, Prospects Services, which owns Gabbitas, shut down the Independent Schools Guide page. The firm has claimed the information was made available after the site fell victim to a cyberattack, according to the news report.
The UK Information Commissioner's Office, which was alerted about the breach by The Telegraph, says it will investigate the incident.
Stolen Safe Contained Backup Tapes
The theft of a safe containing backup computer tapes at the Kindred Transitional Care and Rehabilitation business office in Sellersburg, Ind., has potentially exposed patient information, according to an announcement on the healthcare provider's website. Although the announcement doesn't identify how may individuals were affected, it indicates that the breach affected past, present and prospective patients at several Kindred facilities.
The break-in was discovered June 4. The tapes included patients' diagnoses, Social Security numbers, clinical information, addresses, dates of birth, insurance numbers and dates that services were received, as well as bank account information.
Most of the affected patients were admitted between 2009 and 2012, the announcement said. Kindred is offering affected individuals free credit monitoring services for one year.
Second Breach at Wright-PattersonWright-Patterson Medical Center in Dayton, Ohio, has reported its second major breach incident since 2010. It's alerting 3,800 individuals that their names and Social Security numbers may have been compromised after a paper notebook was missing overnight after a blood drive, according to the Dayton Daily News. The notebook was found the next morning behind a chair, the Dayton Daily News said.
The notebook included personal information on participants and sign-in sheets. The center sent out notification letters to the donors who were affected.
In July 2010, Wright-Patterson reported a breach resulting from improper disposal of paper records that affected about 2,100 patients, according to the Department of Health and Human Services' Office for Civil Rights' list of major breaches.