Grady Health System provides little detail about breach
Technorati Tag: Security Breach
Date Reported:
7/25/08
Organization:
Grady Health System
Contractor/Consultant/Branch:
Unnamed Vendor
Unnamed contractor of the unnamed vendor
Victims:
Patients
Number Affected:
Unknown
Types of Data:
"patient medical information"
Breach Description:
"Grady Health System and federal authorities are currently investigating the theft of some patient medical information. The computer data was stolen from a subcontractor of the vendor the health system has engaged to transcribe physician notes and medical record information."
Reference URL:
Grady Health System Press Release
The Atlanta Journal-Constitution
WGCL Channel 46 News
Report Credit:
Denise Simpson, Grady Health System
Response:
From the online sources cited above:
Grady Health System and federal authorities are currently investigating the theft of some patient medical information.
[Evan] People may be wondering what "some personal medical information" means, myself included.
The computer data was stolen from a subcontractor of the vendor the health system has engaged to transcribe physician notes and medical record information.
[Evan] The information was collected by Grady, given to a vendor who in turn gave to a contractor. What are Grady's policies as it pertains to sharing confidential information with third-parties? According to Grady's "Summary of Notice of Privacy Practices", patients have "The right to an accounting of certain disclosures of your health information". I wonder if this includes an accounting of what happened in regards to this breach. Patients are entitled to certain rights. I also wonder if this notice is trumped by law enforcement action.
The health system discovered the theft late Thursday, July 24, and immediately reported it to the proper authorities.
The FBI is investigating the theft
Grady believes that the records do not contain patient financial information and it is not clear at this stage of the investigation how many patient medical records are involved.
[Evan] It doesn't sound like Grady has a very good "accounting" as of yet.
it remains unknown how many patient records were stolen, which patients were affected or how the records were stolen
"We sincerely regret the occurrence of this breach of confidentiality of patient records in the hands of one of our vendors, and we are hopeful that our quick response to this theft will significantly reduce any negative consequences for our patients and the physicians who care for them," said Denise Simpson, Grady Health System Public Affairs Manager.
[Evan] Do you suppose that Grady has a policy or contractual language which clearly communicates the controls that vendors are required to provide in order to adequately protect confidential information?
Simpson did not identify either the vendor or subcontractor.
[Evan] Did Grady provide ANY actionable information?
"We are working diligently to determine who has been impacted by this incident and will notify the affected patients as soon as that information is available. At the same time, we will do all we can to assist authorities in their search for the party, or parties, responsible for this crime," added Simpson.
She said Grady would notify the patients as soon as possible.
It is unclear who might have stolen the records or for what purpose, she said.
Commentary:
I don't understand why Grady Health System decided to distribute a press release or any comment regarding this breach due to the fact that they seem to have NO answers. What can a patient do with the information that Grady released? An incident response that releases incomplete information can cause serious confusion and unnecessary anxiety. Did Grady make an announcement too soon?
Past Breaches:
Unknown

7/25/08
Organization:
Grady Health System
Contractor/Consultant/Branch:
Unnamed Vendor
Unnamed contractor of the unnamed vendor
Victims:
Patients
Number Affected:
Unknown
Types of Data:
"patient medical information"
Breach Description:
"Grady Health System and federal authorities are currently investigating the theft of some patient medical information. The computer data was stolen from a subcontractor of the vendor the health system has engaged to transcribe physician notes and medical record information."
Reference URL:
Grady Health System Press Release
The Atlanta Journal-Constitution
WGCL Channel 46 News
Report Credit:
Denise Simpson, Grady Health System
Response:
From the online sources cited above:
Grady Health System and federal authorities are currently investigating the theft of some patient medical information.
[Evan] People may be wondering what "some personal medical information" means, myself included.
The computer data was stolen from a subcontractor of the vendor the health system has engaged to transcribe physician notes and medical record information.
[Evan] The information was collected by Grady, given to a vendor who in turn gave to a contractor. What are Grady's policies as it pertains to sharing confidential information with third-parties? According to Grady's "Summary of Notice of Privacy Practices", patients have "The right to an accounting of certain disclosures of your health information". I wonder if this includes an accounting of what happened in regards to this breach. Patients are entitled to certain rights. I also wonder if this notice is trumped by law enforcement action.
The health system discovered the theft late Thursday, July 24, and immediately reported it to the proper authorities.
The FBI is investigating the theft
Grady believes that the records do not contain patient financial information and it is not clear at this stage of the investigation how many patient medical records are involved.
[Evan] It doesn't sound like Grady has a very good "accounting" as of yet.
it remains unknown how many patient records were stolen, which patients were affected or how the records were stolen
"We sincerely regret the occurrence of this breach of confidentiality of patient records in the hands of one of our vendors, and we are hopeful that our quick response to this theft will significantly reduce any negative consequences for our patients and the physicians who care for them," said Denise Simpson, Grady Health System Public Affairs Manager.
[Evan] Do you suppose that Grady has a policy or contractual language which clearly communicates the controls that vendors are required to provide in order to adequately protect confidential information?
Simpson did not identify either the vendor or subcontractor.
[Evan] Did Grady provide ANY actionable information?
"We are working diligently to determine who has been impacted by this incident and will notify the affected patients as soon as that information is available. At the same time, we will do all we can to assist authorities in their search for the party, or parties, responsible for this crime," added Simpson.
She said Grady would notify the patients as soon as possible.
It is unclear who might have stolen the records or for what purpose, she said.
Commentary:
I don't understand why Grady Health System decided to distribute a press release or any comment regarding this breach due to the fact that they seem to have NO answers. What can a patient do with the information that Grady released? An incident response that releases incomplete information can cause serious confusion and unnecessary anxiety. Did Grady make an announcement too soon?
Past Breaches:
Unknown
Comments