Erie County DSS investigating health data breach
There is more patient data exposure news from Buffalo, NY, as following the recent health data breach at DENT Neurologic Institute, the Erie County Comptroller’s office (headed by Stefan I. Mychajliw) reported that paper health records with protected health information (PHI) were left out in public view by the Department of Social Services (DSS).
The comptroller apparently learned of the breach during an audit and, according to The Buffalo News, the records contained copies of birth certificates, personal medical records, Social Security numbers, bank accounts, tax returns, inmate records, payroll information, court records and passports. DSS had previously refused auditors the opportunity to review records following reports that it hadn’t been checking for patient qualifications for those seeking benefits. In an ironic twist, however, DSS found full patient files that were meant to be shredded sitting in open boxes at a loading dock.
Much of this case is still unknown, including how many patients are involved, definitively what information has been compromised and whether any patients have suffered identity theft or credit problems as result of the breach.
“It shouldn’t happen in today’s day and age. We have the ability to ensure that these documents be kept secure, but a number of individuals in county government didn’t follow the rules…and if they’re still not following the rules after being warned, they should be fired,” Erie County Executive Mark Poloncarz said to WGRZ.com.
Erie County Executive’s spokesperson Peter Anderson was not a fan of the way the breach was publicized, saying that the Comptroller released details of the audit to the public before informing the administration. Anderson said that Erie County took steps to remediate the breach as soon as it learned of the issue on April 1. There was a press conference this morning in which Erie County Legislator Lynne Dixon was expected to request a legislative hearing to delve further into what went wrong.
While the investigation is still ongoing, as far as breaches go, this may be damaging to the Erie County DSS because of the carelessness of the breach combined with the nature of the data that was exposed. We’ve already seen plenty of cases of tax fraud schemes and patients finding out months later that their data had been compromised. How will an incident in which the DSS doesn’t know who’s accessed the data fall under HIPAA jurisdiction? As many healthcare organizations have already done to this point, it’s better to be safe than sorry, but how that applies to a state government organization remains to be seen.