Over 70,000 Records May Have been Breached by California Business Associate

Stephan C Dean, the co-owner of the California record storage company Surefile, reported a hacking/IT incident to the HHS’ Office for Civil Rights (OCR) on March 4, 2020 affecting more than 70,000 clients.

Stephan Dean and his wife have been conducting in a long running legal dispute with Kaiser Permanente over the return and destruction of electronic files containing patient information. Kaiser Permanente has been trying to get the files permanently deleted; however, Stephan Dean says that that Kaiser Permanente owes him money for services provided. The on-and-off legal action was eventually ended, but the emails were never sent back or deleted.

Surefile worked with Kaiser Permanente and was given with paper copies of medical records in 2008. When the dispute between Surefile and Kaiser Permanente came to a close, Stephan Dean returned the paper copies of the medical records to Kaiser Permanente; however, emails including patient information that were sent to Stephan Dean by Kaiser Permanente was still on his computer. Stephan Dean filed a complaint with OCR over claimed HIPAA violations relating to the emails and lack of a business associate agreement, and while a case was opened and the matter was reviewed by OCR, it was eventually closed with no penalty applied.

On August 20, 2019, Stephan Dean was told by Microsoft that an unauthorized person may have impacted his MSN email account. The account in question held files such as spreadsheets that had been sent to Stephan Dean by Kaiser Permanente.

Stephan Dean recently told Dissent of databreaches.net and said that the 70,000 records only make up a sample of the data and the actual number, which could only be determined with forensic accounting, could well be close to 1 million records.

Databreaches.net reported on the first breach in 2012 and continued to report the story. A detailed write up of the legal dispute and latest breach can be locate here: https://www.databreaches.net/an-old-hipaa-incident-rears-its-very-ugly-head-again/

Golden Valley Health Centers Advises Patients about Email Security Breach

Golden Valley Health Centers, a group of healthcare centers in the Merced, Modesto, and Central Valley regions of California, is warning patients that some of their protected health information has been breached. Patient information was included in emails and email attachments in an account that was accessed by an unauthorized person. The breach was discovered on March 3, 2020 and forensic investigators were called in to review the situation.

The review of the accounts revealed they included names, billing information, health insurance information, appointment records, and patient referral information. While the investigation showed that the email account had been accessed by an unauthorized person, no proof of data theft or data misuse was uncovered.

Reacting to the breach, Golden Valley Health Centers is overlooking and revising its information security policies and privacy practices and additional training has been given to staff.

The HHS’ Office for Civil Rights breach portal indicates that 39,700 patients have been impacted.