Breaches at 2 Public Health Departments
California, Connecticut Report Health Information Breach IncidentsThe California Department of Public Health reported that a magnetic tape mailed from one office to another has been lost. The unencrypted tape included information on up to 2,550 public health facility residents and staff.
Information on the tape included Social Security numbers for some residents, employees and healthcare workers, as well as health information on some residents, employee e-mails, investigative reports and background information on healthcare workers.
The tape was mailed via the U.S. Postal Service as part of a procedure for backing up computer data, the department reported. The envelope arrived at its destination unsealed and empty.
The department has implemented policies and procedure changes to minimize the likelihood of a recurrence and is researching options that would eliminate the need for backup tape, according to a statement.
The department is notifying those affected, as required under the HITECH Act breach notification rule. It reports that so far, there is no evidence that unauthorized parties have accessed personal information from the tape.
Ironically, the California Department of Public Health has issued numerous fines to hospitals for breach violations under the state's tough laws.
Connecticut Health Information Breach
Meanwhile, the Connecticut Department of Public Health reported a glitch during a system upgrade to appointment scheduling software. Information intended for regional offices was inadvertently sent to an undetermined number of e-mail addresses in the state. The department is still investigating the cause of the error.The information in the e-mails included the names of clients, phone numbers and confirmation of appointments. The number of individuals affected has not yet been determined, and the department is considering "remedies" for affected individuals, according to a statement.
The Connecticut attorney general was the first in the nation to file a federal civil suit for HIPAA violations as enabled under the HITECH Act. Plus, under a new state policy, insurers in Connecticut must report health information breaches within five days, even if the data was encrypted.