BreachExchange mailing list archives
Two Data Breaches in Kentucky
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Tue, 4 May 2010 00:16:45 -0400
Two Kentucky hospitals in recent days have disclosed breaches of protected health information Our Lady of Peace, a psychiatric hospital in Louisville, is notifying 24,600 individuals after a flash drive was came up missing on April 1. The hospital does not have a notice published on its Web site, but a notice is published on the site of corporate parent Jewish Hospital & St. Mary's Healthcare. The hospital ran a legal advertisement notifying the public in the Courier-Journal, Louisville's largest newspaper, on April 29. The new breach notification rule under the HITECH Act requires disclosures within 60 days for breach known to affect 500 or more individuals. Smaller breaches must be reported on an annual basis. The flash drive contained unencrypted data on patients admitted since 2002 and patients assessed, but never admitted, since 2009. Data on admitted patients included name, room number, insurer name, and admission and discharge dates. It did not include diagnoses or treatments, Social Security number, date of birth, telephone numbers or address. Data on assessed patients included name, date of assessment, date of birth and the time they left the hospital. It did not include diagnoses or treatments, Social Security numbers, telephone numbers, address or insurance information. Our Lady of Peace now is reeducating employees on ways to protect patient information, implementing encryption technology and disciplining an undisclosed number of employees, according to a media statement. A spokesperson declined further comment. In the second breach incident, The Medical Center in Bowling Green is notifying 5,418 patients following the theft of a hard drive from the hospital's mammography unit. The unencrypted drive contained information on patients who underwent bone density testing at the hospital between 1997 and 2009. The drive was found to be missing on April 1 and the hospital made the announcement on April 28. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Two Data Breaches in Kentucky Jake Kouns (May 04)
- Re: [Dataloss] Two Data Breaches in Kentucky Chris Walsh (May 06)