This blog series has been following the continuing flow of large security breaches of Protected Health Information (“PHI”) and how affected providers and insurers have been responding to their discovery. Immediately before the July 4th weekend, there was a posting on the U.S. Department of Health and Human Services Web site, which lists breaches of unsecured PHI affecting 500 or more individuals (the “HHS List”), of a PHI security breach affecting 400,000 individuals that was reported by Spartanburg Regional Healthcare System (the “System”).
The HHS posting respecting the System reports that a PHI breach (the “System Breach”) occurred on March 28, 2011 from the “Theft” of a “Desktop Computer.” As a result the System appears to have suffered the fourth largest PHI security breach reported on the HHS Web site during 2011, surpassed only by the following, each of which has been discussed earlier in this blog series:
- the Health Net breach that involved 1,900,000 persons;
- the New York City Health and Hospitals Corporation’s North Bronx Healthcare Network breach with a reported 1,700,000 persons affected; and
- the Eisenhower Medical Center breach with a reported 514,330 persons affected.
The history of reporting of the System Breach by the System has been somewhat puzzling. Although the Web site of the System had previously published for some period of time a prominent link on its home page to the letter that was sent by the System to the affected individuals (the “System Letter”), the link appears now to have been deleted from the System’s home page. After a search, there appears to be no other reference to the System Breach on the System’s Web site, including the news archive that is linked from the home page.
The System Letter asserted that the computer was stolen from the car of an employee who was “authorized to have possession of the computer.” The computer reportedly contained a password-protected file with Social Security numbers as well as names, addresses, dates of birth and medical billing codes. The System Letter also reported that the System will make available to affected individuals enhanced identity theft consultation and restoration and one year of free credit monitoring, although the System “had no evidence that any information has been misused.”
For some reason, the System originally made no disclosure of the large number of persons affected. This is not the first time that a provider that suffered a significant PHI security breach did not report the number of affected persons. See, for example, the postings in this blog series respecting Henry Ford Health System. It is perplexing that a hospital would choose to withhold disclosure of the extent of its PHI security breach, as it risks a second round of significant media attention when the posting on the HHS List takes place one to three months later. It would appear that providers and insurers should understand that one major media encounter for a single PHI security breach event is more than enough publicity.