82,601 Records Exposed in Third Aventura Hospital HIPAA Breach

A third Aventura Hospital HIPAA compliance breach has been announced potentially affecting more than 82,000 patients after going unnoticed for 21 months.

It has been a bad couple of years for Aventura Hospital in terms of data security. The healthcare provider suffered two data breaches in 2012 which resulted in 3,508 records being compromised and it has now discovered that its HIPAA worries are far from over.

The healthcare provider has recently announced a third Aventura Hospital HIPAA breach that eclipses those discovered in 2012. The latest breach also started that year and went on, unnoticed, for 21 months. Inappropriate accessing of patient data is believed to have started on September 13, 2012 and continued until June 9, 2014.

During this period of time, the names, dates of birth and Social Security numbers of as many as 82,601 individuals were potentially accessed by a (now former) member of staff of one of its Business Associates, Valesco Ventures, according to a Local10.com news report.

Valesco Ventures was used for hospital staffing and providing ancillary services to Aventura Hospital and Medical Center. Some of its members of staff were provided with access to a limited amount of hospital data. On May 28, 2014, Valesco was alerted to the possibility that a member of its staff was inappropriately accessing the data of Aventura Hospital and Medical Center patients, according to a statement released by Valesco manager Terry Meadows, M.D.

The Aventura Hospital HIPAA breach was brought to the attention of law enforcement officers who concluded on June 10, 2014 that patient data had indeed been accessed by the individual. Two months later, on September 9th 2014, the company sent breach notifications to patients alerting them to the inappropriate access. Meadows confirmed that no financial or medical data was exposed during the HIPAA breach.

The Social Security numbers and personal identifiers which were accessed can be used to fraudulently obtain products and medical services, commit identity fraud and make false insurance claims, although it is not clear at this stage whether any individual’s information has been used to commit fraud.

According to Local10 news, one Aventura patient, Elaine Moniz, said her Social Security number was used to file a fraudulent tax return and she believes her information was obtained as a result of this HIPAA breach.

The previous HIPAA breaches suffered by Aventura occurred between Oct. 1, 2012 and Dec. 31, 2012, when the data of 948 patients was compromised, and a separate incident between January 1, 2012 and September 12, 2012 in which the records of 2,560 patients were compromised, with the latter incident being corrected just a day before the start of the third Aventura Hospital HIPAA breach.

The Office for Civil Rights may choose to investigate both Aventura Hospital and Valesco Ventures to determine whether the incident resulted from HIPAA violations. Should this prove to be the case, it can issue a fine to the business associate and the hospital up to $1.5 million per year that the breach was allowed to continue. A breach of this magnitude is also likely to see lawsuits filed by victims to recover damages.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news