Fairfax County Data Breach (2012)

Fairfax County, Virginia issued the following release yesterday about a breach that does not appear on HHSs public breach tool and that was not previously known to this site. They say a total of 595 individuals were affected, but the number whose PHI were involved was not specified: Since a 2012 unauthorized data release by the third party vendor, Meridian, managing its multi-function devices used for scanning, faxing and printing documents, Fairfax County Government has contacted, or attempted to contact, individuals impacted by the disclosure of electronic protected health information (ePHI) and personally identifiable information (PII) exposed to the Internet. Notification letters have been mailed to all with available contact information. This notice is being published to locate current contact information for: 47 individuals whose PII was exposed. 33 individuals whose ePHI was exposed. In May 2014, Fairfax County Government discovered that data from multi-function devices was exported by a county contractor, Meridian, from an on-site county server to an Internet-accessible server owned and maintained externally by Meridian. This unauthorized export occurred in October 2012 by a Meridian technician responsible for supporting these multi-function devices and systems. Fairfax County takes the circumstances surrounding this breach of personal and medical information very seriously and, upon discovering the potential data exposure, immediately took steps for remediation, mitigated further exposure and enforced security and data requirements with the vendor. The export included a limited collection of documents that had been scanned on these multi-function devices by county personnel between approximately June 2010 and October 2012 and rejected by the system due to an error. The documents exposed on Meridians server included PII, such as Social Security numbers, drivers license numbers and/or financial account numbers, as well as ePHI, on county employees and other individuals. At Fairfax Countys request, Meridian agreed to notify all impacted individuals and provide free credit monitoring services. As a precautionary measure to safeguard an individuals information from potential misuse, Meridian has partnered with Equifax to provide its 3-in-1 Alerts identity theft protection product to an impacted individual for one year at no charge.