Home Care Law Blog Gilliland & Markette LLP

3905 Vincennes Road
Suite 204
Indianapolis, IN 46268
Phone: (317) 704-2400
Fax: (317) 704-2410

Security Breach at Indiana State Department of Health

Posted by: Robert Markette
March 15, 2007
Topic: Healthcare News

According to an announcement from ISDH today, its website was hacked. The hackers were able to obtain a information on home health aides and certified nursing assistants who were in the state’s system in July 2005. The number of individuals affected is in the thousands. The information obtained by the hackers included names, addresses, and social security numbers.

Like many providers who have had recent security incidents, ISDH is sending out notice to all persons who may be impacted by this security breach. They have also taken action to fix the technical failure that allowed the security breach. Indiana is one of a growing number of states that requires notification to individuals when there is a breach that results in disclosure of their personal information.

ISDH’s letter to the Home Health Aides is another example of how to notify affected individuals of a security breach. (I received a copy from the IAHHC list serve. I am attaching it to this post, because I know some providers have wondered how to put this kind of letter together. It has been widely distributed by the state and various Indiana trade associations.) It does not explain in great detail how the breach occurred, but it tells the reader there was a breach and what information was involved. It then immediately expresses ISDH’s apology for the inconvenience and concern that has resulted.

Then recommends monitoring your credit and placing a fraud alert on your credit report. The fraud alert tells creditors to take extra steps when opening credit and other accounts. The letter provides the reader with information on obtaining a credit report and how to place a fraud alert. It also includes the names of the major credit reporting bureaus. It is a good idea to include this information in the letter, to make it as easy as possible for your patients to take action.

ISDH also opened a hotline for people with questions. The need to open a dedicate hotline is a separate question. For many home health providers you may not have a sufficient number of patients to justify a dedicated hotline. Hotlines can be expensive to operate, due to phone line costs, equipment costs, and the need for additional personnel. Many providers may be able to handle the calls resulting from a notification letter by simply having the privacy officer or another designated individual handle the calls.

The notice letter by ISDH is a pretty standard letter and is a good model to use if you ever have to notify patients of a security breach and are not sure where to start. The apology is a good idea as well. You would be surprised at how many lawsuits are averted by a simple apology.

In the majority of states, if you have EPHI disclosed as the result of a security breach, you will need to notify the patients whose information was involved. Of course, before you send a letter like this out after a security incident, you should discuss it with your lawyer. If you get sued, the letter may become evidence against you, but the letter may also lessen the likelihood of a lawsuit, if it leaves your patients feeling like you are doing everything you can and regret the unfortunate incident.


Attachments:
INCNAnotificationletterFINAL031207.doc

         

News

Health Care

[08/15] Catalyst Pharmaceutical Partners Reports Second Quarter 2008 Financial Results
[08/15] Salmonella outbreak winds down; questions remain
[08/15] 6 get Legionnaires' disease in upstate NY; 1 dies
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] Former half-ton man endures hard times in Nebraska
[08/15] AP Interview: Doctor behind executions speaks out
[08/14] University Hospitals Receives $22.6 Million Donation from Harrington and McLaughlin Families
[08/14] The National Kidney Foundation's 7th Annual Ronald D. Paul Companies Kidney Walk to be Held on Saturday, September 20
[08/14] Best Practice Database adds Research on New Product Launch
Read More

Web Resources

FindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory  

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation.

Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.