Physicians Ensnared in Data Breaches

Several of the breaches involved different practices in related Torrance, CA offices. The Los Angeles Times reported that the medical records of more than 18,000 patients of at least five Torrance doctors were "potentially accessed by cyber-thieves on a single day."   I called the practices; either they would not return my call or declined to speak about it.

However, a spokeswoman for another practice ensnared in a breach told me: "It was really horrible. The (doctor) found out about the breaches the same day it happened. He's a victim, yet he's responsible for taking care of it. It all goes back to him." She wouldn't elaborate and he didn't want to discuss it.

Minnock, the office manager at the Massachusetts physician's office, says her office has taken major steps toward improving the manner in which records are kept. "The lesson is, don't take the tapes home, don't take the laptop home. You really need appropriate safeguards," Minnock says. Not only are the records now encrypted, "now they are double locked like the banks do."

But it doesn't have to be a small physician's office to find out the hard way about losing data.  "Over at South Shore Hospital, they are big and they had a breach," she points out.  South Shore Hospital, in South Weymouth, MA, recently disclosed it had a major breach.

In a statement last month, the hospital reported that back-up computer files containing personal, health and financial information affecting potentially 800,000 people may have been lost by a professional management company, according to a statement from the hospital. The missing files included information on patients, employees, physicians, volunteers, donors, vendors and other business partners dating from Jan. 1, 1996, to Jan. 6, 2010.

The hospital said it sought to destroy the files because they were in a format it no longer uses. Apparently, however, a freight carrier lost a shipment of files scheduled for destruction.

Hospital officials say they have no evidence that information on the backup computer files had been accessed by anyone. An independent security consulting firm told the hospital that specialized software, hardware and technological knowledge and skill would be required to access and decipher the files. Still, the incident is under investigation by state authorities.

The hospital will send letters to individuals affected once it verifies whose information may have been included in the missing back-up files. Once the investigation is completed, the hospital said it will determine whether to provide free credit and identity theft monitoring to any of those affected.
South Shore is only a reminder to Minnock that security can't be taken for granted, as well as the swirling demands of HIPAA compliance.