Data breaches affect patients in 3 states
■ Stolen laptops, dumped records and an unprotected website leave personal data exposed for more than 1.2 million people.
More than a million Florida residents lost personal information in one of several security breaches reported in recent weeks.
AvMed Health, a Florida-based health plan, said data about nearly 1.2 million members and former members were breached when two laptops were stolen in December 2009 from an AvMed office in Gainesville, Fla.
The insurer notified 360,000 customers of the breach in February. But AvMed said on June 3 that further investigation found that an additional 860,000 people had been affected.
Information included names, addresses, birth dates, Social Security numbers and health information. Although there is no evidence that the data were misused, the company contracted with an identity protection service to respond to the breach.
In another case, officials at the University of Louisville in Kentucky said on June 2 that it was notifying 708 dialysis patients of a breach. They discovered that patient names, Social Security numbers and medical information had been displayed on an unsecured website for about 19 months.
Gary Mans, spokesman for the University of Louisville, said the database was a registry for patients of the university's kidney dialysis program. The users of the site thought it was password-protected when, in fact, it was not. But even though it was technically public, there were no links to the site, and there's no evidence it was accessed by any unauthorized users, Mans said. The website was disabled when the problem was discovered.
Mans said the university is offering a year of credit monitoring to those affected.
Meanwhile, Impulse Monitoring, a Columbia, Md., company that provides onsite and Web-based monitoring of neurological systems for patients undergoing spinal and brain-related injuries, is denying any responsibility in a case involving the June 6 dumping of several boxes of data in a church parking lot in Nashville, Tenn.
The data included checks, billing statements, medical records and employee payroll information belonging to NVMS, a monitoring business that declared bankruptcy in 2008. Impulse purchased some of that company's assets in 2009, but it said those assets did not include data on former patients.
Janine Gregory, general counsel for Impulse, said some personal information for former NVMS employees now employed by Impulse might have been included in the dumped records. She had no further information about the case.
The Health Information Technology for Economic and Clinical Health Act in 2009 added a requirement under the Health Insurance Portability and Accountability Act that health care organizations must notify victims and the media of any data breaches affecting more than 500 people. In February the Dept. of Health and Human Services began posting a list of those reported breaches online (link).