The Parade of Major Reported PHI Breaches Hits 400 – Theft is the Primary Type of Breach

April 1, 2012 – In The News
Garden State Focus
Previous issues of this magazine have contained articles on the breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) 1 as breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). On February 24, 2012, HHS posted number 400 in the ever-lengthening Parade of List Breaches.

As the first postings on the HHS List occurred on March 4, 2010, it took almost exactly two years to reach the 400 level, which means that an average of 200 postings of List Breaches have been occurring each year.

A closer look at the 400 List Breaches reveals that there are an appreciable number of repeat marchers in the parade.2 In some cases assumptions had to be made as to repeat marchers because the names of some covered entities on the HHS List were similar but not identical to others or appeared to be different divisions of the same covered entity.

Based on such assumptions (including counting multiple divisions as one covered entity), there were:

(i) 28 covered entities with two List Breaches,
(ii) 16 covered entities with three List Breaches and
(iii) 1 covered entity with four List Breaches.

Therefore, there were 337 separate covered entities that re¬ported the total of 400 List Breaches. Of the total of 400 List Breaches, 223 of them attributed the cause or partial cause of the breach to be “Theft.” Of the 223 thefts reported, 93 of them were characterized as theft of a laptop. Therefore, it is not surprising that the 400th List Breach was reported by Triumph, LLC (“Triumph”) as a theft on December 13, 2011 of a laptop containing PHI that related to several of its North Carolina behavioral and psychiatric facilities and affected 2,000 individuals (the “Triumph Breach”).

While the facts of the Triumph Breach were not remarkable in themselves, the event is worthy of review as being a typical List Breach involving a theft of a laptop that contained PHI of several thousand individuals. A closer look at the Triumph Breach reveals that it was an event as to which Triumph ap¬pears to have been a victim with little ability to avoid the loss.

Triumph should be commended for having placed a HIPAA Breach Notification (the “Notification”)3 on its Web site and a prominent notice on its Home page4 in red with a link to the Notification and the following advice: “Please click here to read the public notice which may affect consumers receiving services from our Winston-Salem, Mocksville and King facilities.” Many covered entities have not prominently detailed List Breaches on their Web sites.

The Notification states that the Triumph Breach occurred on December 13, 2011 when three men entered the 2nd floor lobby of a Triumph facility. While two of them were distracting the receptionist, the third entered a hallway and stole a laptop computer from an office. Because the Notification does say that the laptop was password protected, one can reasonably conclude that there was not encryption of data on the laptop.

The information on the Triumph computer was reported in the Notification to have included names, dates of birth, medical record numbers, insurance/Medicaid numbers, billing codes and authorization status for services, but not social security numbers, diagnostic codes or specific financial information.

Although the HHS List states that 2,000 individuals were affected by the Triumph Breach, no reference to the number of affected individuals was contained in the Notification. Many covered entities that provide information on their Web sites as to List Breaches do disclose the number of affected individuals.

Additionally, while the Notification included contact information for questions about the Triumph Breach, no reference was made in the Notification as to the offering by Triumph of credit monitoring or other security services to affected individuals, as has been done for many other similar List Breaches. Perhaps the explanation for the latter omission is the following statement by Triumph in the Notification:

We believe the motive for the theft was for the computer not for the information stored on the computer. In light of this theft, we are examining our policies, procedures and protocols to safeguard against any future incidents.

Nonetheless, it is uncertain as to whether the PHI stored on the computer will be inappropriately accessed and used.

Triumph was an unfortunate victim of a theft of PHI as many other providers have been. Nonetheless, the Triumph Breach is a reminder that, no matter how a List Breach is caused, it will be costly for the covered entity on many levels, and the ultimate extent of the adverse impact cannot be known with certainty.

Finally, while the Parade of List Breaches continues to grow, there are many more PHI data breaches involving fewer than 500 individuals that are occurring as well. It is likely more a question of when, rather than whether, a covered entity will suffer a PHI data breach.

Footnotes
  1. The Internet link is http://www.hhs.gov/ocr/privacy/hipaa/ administrative/breachnotificationrule/breachtool.html.
  2. The blog series produced by lawyers at Fox Rothschild LLP relating to HIPAA/HITECH/HIT has followed a number of them, including Health Net, Henry Ford Health System, SAIC and University of Rochester Medical Center. Its Internet link is http://hipaahealthlaw.foxrothschild.com/articles/ breaches/.
  3. The Internet link is http://www.triumphcares.com/Public¬Notice.pdf.
  4. The Internet link is http://www.triumphcares.com/.