Hospital discloses privacy breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://news.sonomaportal.com/2013/05/24/hospital-discloses-privacy-breach/

Sonoma Valley Hospital announced today that it has notified a group of
patients of a Health Insurance Portability and Accountability Act
(HIPAA) privacy breach that involved the hospital inadvertently
posting limited patient information on the hospital’s website.

The hospital reported that the information was removed upon discovery,
patients were notified, and steps were taken to prevent a
reoccurrence.

According to Richard Reid, hospital CFO and Compliance Officer, the
breach occurred on February 14, 2013, and involved an employee
accidentally uploading personal information for 1,350 surgery patients
to the hospital website as part of a routine website update.

The error was not discovered until April 17, 2013, because the
information was placed on a section of the website that was not
directly accessible through the website, but only through a search
engine. Upon discovery, it was immediately removed and the hospital
began an investigation of the cause.

The breach involved patients in the hospital for surgery during the
period July 1, 2011, to June 30, 2012. Patient information posted was
limited to patient name, date of service, procedure, surgeon, hospital
charges and name of insurance company. No other personal data such as
social security number, birth date, driver’s license or address was
included, Reid said.

“We have apologized to the patients involved for our error and assured
them that we have taken action to understand the cause of the breach
and strengthen policies and controls protecting patient information,”
Reid said. “We take patient privacy very seriously at Sonoma Valley
Hospital and we are deeply sorry for any discomfort that this may have
caused our patients.”
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.