Medical Center Breaches Lead RoundupIn 2 Cases, Patients' Medical Records Inappropriately Viewed
In this week's breach roundup, the University of Pittsburgh Medical Center is notifying 1,300 patients treated at various UPMC locations over the past year that their records were viewed inappropriately by an employee, who was subsequently fired. Also, a former financial manager at a medical center in England was fined after pleading guilty to unlawfully accessing personal data on more than 1,900 patients.
UPMC Fires Employee
The University of Pittsburgh Medical Center is notifying 1,300 patients treated at various UPMC locations over the past year that their records were viewed inappropriately by an employee.
The employee has been terminated, and local and federal authorities have been notified, according to a statement posted to the medical center's website.
Compromised information includes patient names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers, UPMC said.
UPMC has set up an FAQ page detailing the incident. It is providing additional employee training and reviewing its privacy policies and procedures.
UK Breach Results in Fine
A former financial manager at College Practice GP, a medical center in Maidstone, located in Kent, England, was fined after pleading guilty to unlawfully accessing personal data on 1,940 patients.
The manager, Steven Tennison, was prosecuted by the UK Information Commissioner's Office. He was fined a total of Â£996 and ordered to pay a Â£99 victim surcharge and Â£250 prosecution costs, according to the ICO.
The breaches came to light in October 2010 when a manager at College Practice GP was asked to review Tennison's attendance file. The review also included a check of Tennison's use of the patient records program.
The results of the review showed that Tennison had accessed patients' records on 2,023 separate occasions between Aug. 6, 2009 and Oct. 6, 2010, the ICO said. The majority of the individuals whose records were viewed were women in their 20s and 30s, according to the ICO.
"We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients' medical records," said Stephen Eckersley, head of enforcement at the ICO. "What we do know is that he'd received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period."
Man Sentenced in Cyber-Attack
Eric Rosol of Black Creek, Wis., has been sentenced to two years of federal probation and ordered to pay $183,000 in restitution for taking part in a distributed-denial-of-service attack on Koch Industries in Wichita, according to the Federal Bureau of Investigation's Kansas City Division.
The attack was sponsored by the hacktivist group Anonymous, U.S. Attorney Barr Grissom said. In his plea, Rosol admitted that on Feb. 28, 2011 he took part in the attack, using software called a Low Orbit Ion Cannon Code, which was loaded onto his computer.
Icelandic Telecommunications Site Hacked
Telecommunications company Vodafone Iceland is investigating how a hacker managed to gain access to the company's website on Nov. 29 and obtain Web-based text messages, passwords and national identity numbers.
The compromised information was then posted online, according to the Wall Street Journal. Compromised information includes Web-based text messages for 5,000 customers, including government officials, and unencrypted passwords for 70,000 accounts.
Vodafone Iceland is an independent company that has a licensing agreement with the U.K. mobile operator Vodafone Group, according to the news report.
The IP address tied to the hacker can be traced back to Turkey, the company said.
As a result of the incident, the company set up a service center where individuals could go to determine whether any of their text messages or passwords were stolen, the news report said.
Back in September, Vodafone notified about 2 million of its customers in Germany of a breach of sensitive financial information after it verified a highly sophisticated intrusion into one of its servers by an insider [see: Vodafone Victim of Insider Breach].
Lawsuit Follows Dynacare Breach
A Milwaukee firefighter and his wife have filed a lawsuit against Dynacare Laboratories and Froedtert Community Health/Workforce Health following a breach that affected more than 9,000 individuals, including city employees [see: Milwaukee City Employees' Data Exposed].
Joseph Newbold, the lawyer representing Michael J. Wojnar and his wife Ethel, is seeking class-action status for the lawsuit, according to the Milwaukee Wisconsin Journal Sentinel.
The City of Milwaukee also filed a formal complaint with the Department of Health and Human Services' Office for Civil Rights against Dynacare Laboratories. The city has a contract for certain health services with Froedtert Community Health/Workforce Health, and it provided the organization with city employee information in a secure and password-protected manner, according to a statement from city attorney Grant Langley.
Workforce Health then contracted out certain services to Dynacare, a clinical laboratory services vendor. An employee for Dynacare Laboratories had their car stolen on Oct. 22, with an unencrypted flash drive containing Milwaukee city employee information left inside, according to a statement from Dynacare.
Information on the drive includes names, addresses and Social Security numbers of city employees, a spokesperson for Dynacare told Information Security Media Group. In addition, the names of approximately 3,000 spouses and domestic partners of the city workers were on the drive.