Postings on this blog series have been following the continuing flow of large security and privacy breaches of Protected Health Information (“PHI”) that has been reported on the U.S. Department of Health and Human Services (“HHS”) Web site. A recent posting highlighted an area that has received relatively little media attention respecting the HHS list (the “HHS List”) of reported large breaches of unsecured PHI affecting 500 or more individuals (“Large Breaches”) - the extent to which such Large Breaches are stated to be attributable to events involving business associates (“BAs”) of the reporting covered entities (“CEs”). Some Large Breaches involving BAs will be reviewed in this and future postings.
The HHS List reveals that Ohio Health Plans (“OHP”), the public health care program overseen by the Ohio Department of Jobs and Family Services, reported as a CE that a Large Breach on June 3, 2011 involving 78,042 individuals had resulted from the theft of a laptop (the “OHP Breach”). The HHS List states that “Area Agency on Aging, Ohio District 5” was a “Business Associate Involved.” Unlike some other disclosures respecting Large Breaches reported on the HHS List, no further information is available on the HHS List for the OHP Breach.
A June 20, 2011 report of the OHP Breach in CrawfordCountyNow.com (the “Internet Report”) indicates that the correct corporate name of the affected BA is Ohio District 5 Area Agency on Aging, Inc. (the “Agency”). The Internet Report states:
A laptop computer assigned to a PASSPORT case manager with the Ohio District 5 (Mansfield) Area Agency on Aging, Inc. containing consumer’s personal health information was stolen from a vehicle on June 3. The computer contained personal health information of up to 43,000 consumers and the personal contact information of up to 35,000 related clients’ personal representatives.
The Internet Report quotes an apology from the CEO of the Agency, Duana Patton, and describes steps that the Agency was taking to mitigate the loss to affected individuals, including access to credit protection services and an 800 number to answer questions. Nowhere in the Internet Report is there any reference to OHP or the fact that the Agency was in possession of the PHI as a BA of a CE.
A visit to the Internet Web site of each of OHP and the Agency reveals no information respecting the OHP Breach. There is no reference to the OHP Breach in the links on the Home page of the OHP Web site or the links accessible through the “News & Events” link, including the “What’s New” and “News Releases” links.
The Agency Web site describes the Agency as
a private non-profit Agency, designated by the State of Ohio to be a Planning and Service Area (PSA) as mandated in the Older Americans Act, as enacted by the Federal Government in 1965. The Agency administers Title III, State Block Grant, Medicaid and other grant funds.
Again there is no reference to the OHP Breach on the Agency Web site, either in the “News and Events” links, the “Privacy Information” link or elsewhere, or the efforts of the Agency to mitigate adverse consequences to affected individuals that may result from the OHP Breach.
It appears that OHP, as the CE with respect to the OHP Breach and the entity required to report the OHP Breach to the HHS for placement on the HHS List, left it to the Agency as the apparently responsible BA to confront the aftermath. Moreover, OHP and the Agency appear to have consciously limited disclosures regarding the status of OHP as the CE to avoid adverse publicity for OHP, perhaps because it is part of the Ohio state sponsored health programs.
Other Large Breaches involving BAs that have been reported on the HHS List will be reviewed in future postings on this blog.