Privacy Advisor

Data Breaches: A Roundup

June 3, 2013

Data Breaches: A Roundup
By Jedidiah Bracy, CIPP/US, CIPP/E

Data breaches continue to plague organizations across industry sectors. Here’s a look at some of the breaches that have hit businesses in the last two weeks.

The popular content management platform Drupal was hacked last week, and according to a TechCrunch report, nearly one million user accounts were compromised. It is believed hackers had access to usernames, e-mail addresses and hashed passwords. The company has reset all user passwords and published an FAQ about the incident. Drupal is still investigating the incident. 

Health Data

Idaho State University has agreed to pay $400,000 and implement a “corrective plan of action” in a settlement with the U.S. Department of Health and Human Services Office for Civil Rights, ModernHealthcare reports. Nearly 17,500 patient records were affected at the university’s Pocatello Family Medicine Clinic. According to an OCR press release, the patient data was left unsecured for at least 10 months. The OCR also found that the organization had not conducted a HIPAA-mandated risk assessment between 2007 and 2012.

Florida-based Jackson Health System has notified 1,407 patients that paper copies of their medical records have been lost. A spokesman said, “We hold ourselves accountable any time a patient’s information is illegally or inappropriately accessed, which is why we are offering this free credit and identity protection as a precaution.”

California’s Sonoma Valley Hospital has also publicized a breach of 1,350 surgery records. The incident occurred during a routine software update that allowed the sensitive data to be accessible through a search engine. The hospital has said it has “taken action to understand the cause of the breach and strengthen policies and controls protecting patient information.” 

The Texas-based Health Information Trust Alliance has been hacked. The incident exposed 111 records that included “some real names, companies, addresses, phone numbers and e-mail addresses.”

A laptop containing the personal health information of 13,806 patients has been stolen from a now-closed private practice in New York, HealthITSecurity reports. The stolen data included Social Security numbers, diagnoses and surgery billing codes. The oral surgeon, whose patients were affected, has notified state authorities. 

LSU Health Shreveport in Louisiana has notified more than 8,000 patients of a data breach stemming from a data entry error that caused patients to receive the incorrect health data. Here is a copy of the official announcement.

Erie County, NY, DSS is investigating a data breach involving paper records that were left in public, and Ontario’s Thunder Bay Regional Health Sciences Centre has apologized for a breach of more than 500 diagnostic images

Meanwhile, a co-conspirator who pleaded guilty to stealing 881 patient records from Alabama’s Troy Medical Center has been sentenced to 10 years in prison.

Analysis

FierceHealthIT reports that U.S. lawsuits from healthcare breaches “are growing more sophisticated as lawyers change tactics beyond trying to show that exposure of patients’ personal information led to financial harm.” A Thomson Reuters article highlights two new arguments being used, including “unjust enrichment” and breach of contract.

A Law Technology News report notes that the U.S. Supreme Court decision involving Clapper, Director of National Intelligence, et al. v Amnesty International USA et al could suggest “that the possibility of future harm is insufficient to meet the standing requirement.” Rebecca Shwayri writes, “The court’s reasoning in Clapper will have a direct impact on data breach cases by requiring plaintiffs to move beyond the mere speculative possibility of injury and by foreclosing plaintiffs from asserting certain types of damages as evidence of standing,” adding, “Companies defending against data breach litigation should consider Clapper when trying to dismiss the case for lack of standing.”

According to ITnews, data breach laws in Australia will drive class-action lawsuits. The Australian government is planning to implement new mandatory breach notification legislation next year.