http://securityratty.com/tag/ehs Wed, 16 Apr 2008 07:00:28 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/abae4f25b1b562e0d35d7dc7888853e0 http://securityratty.com/article/abae4f25b1b562e0d35d7dc7888853e0 Security Breach

Date Reported:
3/3/08

Organization:
The Elliot Health System (EHS)

Contractor/Consultant/Branch:
Advanced Medical Partners, Inc.

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"electronic protected health information" "name, procedural dates of service at EHS, name of your insurance company and your date of birth"

Breach Description:
"A business associate of The Elliot Health System (EHS), Advanced Medical Partners, Inc. (AMPI), has recently informed us that on the evening of February 22, 2008, a thief/thieves broke into corporate headquarters, and stole ten computers.  The computers contained electronic protected health information and could potentially include your name, procedural dates of service at EHS, name of your insurance company and your date of birth"

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

A business associate of The Elliot Health System (EHS), Advanced Medical Partners, Inc. (AMPI), has recently informed us that on the evening of February 22, 2008, a thief/thieves broke into corporate headquarters, and stole ten computers.
[Evan] Is this the same Advance Medical Partners that was recently acquired HealthTronics?

The computers contained electronic protected health information and could potentially include your name, procedural dates of service at EHS, name of your insurance company and your date of birth

AMPI has told us that these computers have safeguards in place, including password protection, to guard against access to this information.
[Evan] Really?  I have two primary problems with this statement.  First, is the "AMPI has told us" remark.  EHS should know how their vendors/contractors secure confidential information.  Contractor information security must be dictated by policy and/or contract language, then audited on a regular basis.  Secondly, does EHS and/or AMPI want people to believe that password protection is adequate?

As with any such occurrence, we have reviewed this situation as an opportunity to evaluate current practices, policies and procedures.
[Evan] You don't need a breach to open an opportunity for improvement.  Constant improvement should be built into the information security program from the beginning.

If EHS is informed of any new information related to this security incident by AMPI, EHS will contact you and update you.

Please accept my apologies for any inconvenience this may have caused you.

If you require any additional information or assistance, please feel free to contact me.
Katherine St. Jean RN, CPC, CMAS
Director of Compliance/Corporate Compliance Officer
Elliot Health System
Compliance Dcparttnent
4 Elliot Way
Suite 303
Manchester, NH 03103
603.663.2932-phone

Commentary:
This is just a short and quick breach notification without much detail.  Feel free to comment.

Past Breaches:
Unknown

]]> Wed, 16 Apr 2008 07:00:28 +0000 information breach elliot health system elliot health information contractor information security ehs andor ampi ehs information security program Elliot Health System reports a breach involving health information