BreachExchange mailing list archives

Two Data Breaches in Kentucky

From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Tue, 4 May 2010 00:16:45 -0400

Two Kentucky hospitals in recent days have disclosed breaches of
protected health information

Our Lady of Peace, a psychiatric hospital in Louisville, is notifying
24,600 individuals after a flash drive was came up missing on April 1.
The hospital does not have a notice published on its Web site, but a
notice is published on the site of corporate parent Jewish Hospital &
St. Mary's Healthcare. The hospital ran a legal advertisement
notifying the public in the Courier-Journal, Louisville's largest
newspaper, on April 29.

The new breach notification rule under the HITECH Act requires
disclosures within 60 days for breach known to affect 500 or more
individuals. Smaller breaches must be reported on an annual basis.

The flash drive contained unencrypted data on patients admitted since
2002 and patients assessed, but never admitted, since 2009. Data on
admitted patients included name, room number, insurer name, and
admission and discharge dates. It did not include diagnoses or
treatments, Social Security number, date of birth, telephone numbers
or address.

Data on assessed patients included name, date of assessment, date of
birth and the time they left the hospital. It did not include
diagnoses or treatments, Social Security numbers, telephone numbers,
address or insurance information.

Our Lady of Peace now is reeducating employees on ways to protect
patient information, implementing encryption technology and
disciplining an undisclosed number of employees, according to a media
statement. A spokesperson declined further comment.

In the second breach incident, The Medical Center in Bowling Green is
notifying 5,418 patients following the theft of a hard drive from the
hospital's mammography unit. The unencrypted drive contained
information on patients who underwent bone density testing at the
hospital between 1997 and 2009. The drive was found to be missing on
April 1 and the hospital made the announcement on April 28.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php

Current thread:

Two Data Breaches in Kentucky Jake Kouns (May 04)
- Re: [Dataloss] Two Data Breaches in Kentucky Chris Walsh (May 06)