2nd Business Assoc. Breach Hits HospitalRecords Posted on Website by Mistake
In the latest incident, the hospital is notifying more than 1,700 patients of a breach in which Professional Transcription Co. mistakenly posted clinical reports on its website for up to 10 months. The company, which transcribes physicians' dictated reports, posted patient names, medical record numbers, hospital account numbers, dates of birth, diagnoses and other clinical information on the site. The information, however, did not include addresses, Social Security numbers or financial information, the hospital said.
"We have no information to indicate that the information was actually viewed by any unauthorized individuals," according to a statement on the hospital's website. The vendor involved is performing a security assessment to identify and implement measures to avoid similar incidents, the statement added.
In May, the hospital reported that an employee of KPMG, which provides professional services to parent company Saint Barnabas Health Care System, lost an unencrypted flash drive containing information on 956 hospital patients. The drive may have contained a list with some patient names and information about their care, the hospital reported. The hospital said it had no evidence the information was accessed by any unauthorized person.
Another Breach IncidentIn another recent health information breach involving a business associate, Ochsner Health System is notifying nearly 9,500 patients that letters sent out by HELP Financial Corp. on behalf of the Louisiana system contained incorrect patient information.
The names, medical record numbers, account numbers and account balances in the letters did not match the records for those to whom the letters were mailed. The letters referred to payment arrangements being made. The mistake was due to a programming error, according to an Ochsner statement, and HELP has corrected the problem.
All of these breaches were reported to the Department of Health and Human Services' Office for Civil Rights for inclusion in its list of major health information breaches as required under the HITECH Act's breach notification rule.