HIPAA Business Associate Informs 31K Record Data Violation

Omaha-based Seim Johnson, a commercial partner of several healthcare providers in Nebraska and outside, has declared that one of its laptops was thieved in Nashville, Tennessee, revealing almost 31,000 healthcare patient files.

The laptop had the protected health information of 30,972 healthcare patients, including 4,200 patients of Community Hospital in McCook, Nebraska. It’s not sure which other healthcare providers were functioning with Seim Johnson and have been affected by the data infringement.

The kinds of PHI revealed differed from patient to patient, even though several had their name, medical record number, patient identification number, or a visit number revealed. In a few instances, Social Security numbers were compromised, though no fiscal information was saved on the laptop.

Patients are being informed of the secrecy infringement. In case a Social Security number was saved on the laptop, patients will be specially informed of this in their infringement notice letter.

It’s a company policy at Seim Johnson to encrypt all data saved on laptops, which are also guarded with a password. Encryption software was utilized to shield the data saved on the thieved laptop, though an inquiry into the case exposed that the data encryption software was probably not working properly. As it can’t be proved whether the encryption shielded data saved on the laptop, the firm has started informing all patients of a potential infringement of their secret data.

HIPAA Business Associate Data Violations Now Something of a Scarcity

After the induction of the HIPAA Omnibus Law, business partners of covered entities had a torrid time with several reporting data infringements in the following months. Nevertheless, now it’s a comparatively unusual for a business partner of a HIPAA covered entity to endure a data infringement.

The last business partner data infringement before the latest declaration of the Seim Johnson laptop thievery was that of EnvisionRx, Pharmacy benefits manager. A mailing mistake resulted in names, treatment details, and dates of service of 540 persons being mistakably revealed. That secrecy infringement informed to OCR in October 2015 was a violation at Insurance Data Services, from where 2,918 paper records were thieved.

Sunquest Information Systems informed the thievery of a laptop having 2,100 records in September, and EBPMA informed a 1,494-record infringement in July. The Medical Informatics Engineering data breach was also informed in July, which affected 3,900,000 persons.

A total of 15 data infringements were stated to have involved business partners in 2015 out of the 267 data infringements reported to OCR throughout the whole year. This is a significant progress on 2014 and 2013 when business partners were involved in 78 and 72 data infringements respectively.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.