315,000 patient files have disappeared from Emory Healthcare, an Atlanta-based healthcare company. The files contained 17 years worth of private data on all patients who had a surgical procedure done at Emory University Hospital, Emory University Hospital Midtown, and The Emory Clinic Ambulatory Surgery Center between 1990 and 2007. Besides protected health information, the discs also contained around 228,000 patients’ Social Security numbers.
According to John T. Fox, CEO of Emory Healthcare, the files were not obtained through hacking. An employee discovered that the backup files were missing from an office cabinet where they were no longer in use. Whether they were stolen or misplaced is yet to be known, but there is no evidence that the files have been misused.
Fox apologised on behalf of Emory Healthcare and said the company will be sending letters to affected individuals whilst also offering free identity protection services. It is estimated that the breach will cost Emory Healthcare as much as $2m.
See the full story in the Atlanta Journal-Constitution
The Information Commissioner’s Office (ICO) has proposed a fine of £375k, its largest so far, for a patient privacy breach at Brighton and Sussex University Hospitals NHS Trust. The incident occured when hard drives containing patient data were sold on eBay by the registered contractor hired to destroy them. The hard drives have been safely recovered but the breach could mean major consequences for the Trust.
The Trust is doing its best, however, to challenge the proposal, explaining that they were themselves a victim of a crime which they reported to police as soon as they were alerted. But the ICO says it is still investigating whether this breach violated the Data Protection Act (DPA). The DPA stipulates that organisations must take all appropriate measures to prevent the loss or destruction of personal data, and that they must go the extra mile when dealing with particularly sensitive data, such as medical records.
The question is whether hiring a trusted contractor to handle the material is going far enough to protect patient records. Suppose we’ll have to wait and see.
See the full story on Out-Law.com
TRICARE, the insurer for the US military health system, is facing a whopping $4.6 billion lawsuit after back-up tapes containing patient data were stolen from a car. The tapes are said to contain personal details such as names, addresses, phone numbers, Social Security numbers, clinical notes and prescriptions of individuals who were treated at San Antonio military facilities over the last two decades. The suit seeks $1,000 in damages for each of 4.9 million affected individuals.
Filed by a military spouse and her two children and an Air Force veteran, the TRICARE lawsuit contends that the insurer took too long to make patients aware of the breach and asks for 11 orders from the court including the awarding of damages, provision of free credit monitoring services and the halt of record transfer until an independent panel finds that the process is sufficiently secure.
TRICARE is not alone. Another covered entitity, Stanford Hospital and Clinics, is fighting a $20 million lawsuit after private information of around 20,000 of its patients was found accessible to the public on a website.
See the full story on www.InsuranceNetworking.com