Highmark Branch Visionworks Struck by 75K HIPAA Break

Highmark Inc., the Pennsylvania-based health Insurance business, has declared today that Visionworks, one of its branches, has misplaced a computer server having the medical files of roughly 75,000 patients.

The medicinal information saved on the server contained particulars of patients’ trips to Visionworks optometrists, their lens recommendations and names as well as addresses. The HIPAA break is believed to have possibly revealed the information of patients who had earlier went to its Annapolis, MD store. Its other 650 national vision care centers are thought to be unaffected.

According to the break notification laws laid down in the HIPAA, all affected people are being informed of the data break by mail and are being provided one year of free credit checking services via Equifax.

The break letter notifies patients that the case revealing patient data was, in fact, part of the company´s endeavors to improve security and privacy. As part of the company’s data encryption program a server was planned to be substituted; nevertheless, after the old server was neutralized it was provisionally saved at the company´s services in Jennifer Square. When the server was finally recalled to the home office of Visionwork in San Antonio, the workforce at the Jennifer Square clinic couldn’t find it.

Immediately an inquiry was carried out to find out the location of the misplaced server and Visionworks has now established that it was inadvertently rejected and put in a dumpster. At the time, the Visionworks store in which the server was situated was being modified and there was a substantial quantity of building supplies and construction rubbish at the store. It has been assumed that the server was inadvertently abandoned with the rubbles and is currently in a landfill place, even though the probability is that the server was thieved when the construction work was in progress.

Credit card information saved on the server was restricted to only 3 days of records – roughly 100 files from May 31, 2014 to June 2, 2014 – and also this information was completely encrypted and for that reason illegible. A restricted quantity of Social Security numbers might have been revealed in the break, even though these weren’t pinpointed as such in the file.

Private and Safeguarded Health Information saved on the server contained names, contact telephone numbers, health insurance providers, addresses, group name as well as number, vision care expiration dates, and member ID. The patient’s sex, occupation, referral source, examination remarks and lens production/prescription info was also provided.

As per the notification put on the company’s web site, “Presently, there isn’t any reason to suppose that any of the info on the server has been used or accessed wrongly.” Efforts to find the server are continuing.

The break is reported to the Division of Health and Human Services’ OCR which might carry out an inquiry to decide whether HIPAA regulations and rules have been obeyed. If breaches are found, Visionworks could face a considerable fiscal fine.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.