University of Oklahoma Neurology Clinic notifies almost 20, 000 of security breach

[Christine Fulgham <christine () opensecurityfoundation org>]

http://www.databreaches.net/?p=14568


In the process of updating PHIprivacy.net to reflect breaches newly
disclosed by the U.S. Dept. of Health and Human Services (HHS), I found
reference to a breach for which I was able to find a companion statement.

The University of Oklahoma-Tulsa, Neurology Clinic recently notified HHS of
an incident affecting 19,264 patients. According to HHS’s logs, the clinic
reported that the incident occurred or was detected on or about July 25. In
a statement dated September 24 and posted on their web site on October, the
clinic states:

The University of Oklahoma’s Tulsa Neurology practice recently became aware
that one of its clinic computers had been compromised by a virus. The Clinic
is notifying individuals whose records were maintained on the computer of
the discovery. Patients of Dr. John Cattaneo and of Neurology, LLC, a Tulsa
practice where Dr. Cattaneo formerly practiced are being notified this week
by letter.

The letters advise the patients that an intensive investigation determined
that a virus capable of retrieving data from documents located on the
computer had been discovered. Although it is not possible at this time to
determine what documents on the computer, if any, were accessed by this
virus, in an abundance of caution, the Clinic is notifying those individuals
whose information and documents were stored there. Many of these documents
included some or all of the following: patient name, telephone number,
address, birth date, Social Security Number, medical record and insurance
numbers, procedure billing codes, diagnosis codes, lab reports, office
notes, radiology reports, and service dates. In some records, guarantor
information was also included. The virus was detected on or about July 28,
and its properties were determined during the investigation.

This incident serves as a useful example of why HHS’s summary logs are not
really that helpful to those who track and analyze data breaches. Their logs
note the incident as a “hacking/IT incident”  and their logs do not indicate
the kinds of information involved in any particular breach. Hence, many of
the incidents reported on their site might involve SSN, Medicare numbers, or
financial info, but we simply can’t tell because their logs don’t tell us.

Perhaps all of those who track and analyze breaches should consider sending
a joint letter to Congress and to HHS urging them to make more information
on breaches available on their web site.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Take CREDANT Technologies short survey on cloud usage and security.
Take the survey: http://www.surveymonkey.com/s/TXDR7WT
Respond by October 12, 2010.
Enter to win a $500(US) Amazon Gift Card.