Huntington Medical Research Institutes Data Breach (2015)

The second healthcare data breach was reported on October 20, 2015 and happened when a former HMRI employee potentially took some ePHI when the employee left HMRI on July 31, 2015. The research institute said that it learned about the incident on August 20, 2015. The HMRI statement on its website did not say what form the ePHI was in, but according to the Office for Civil Rights (OCR) data breach reporting tool, it was a laptop or other portable device. The OCR report also states that the October 20 incident potentially affected 4,300 individuals. HMRI explains that once again Social Security numbers and other financial information were not exposed. However, patient names, some demographic information such as date of birth, clinical information such as diagnosis, treatment, tissue specimen source, other specimen information, and specific tests ordered were all included. Moreover, referring physician information and some billing information were also potentially exposed. HMRI added that there is no action that patients need to take, and that it once again plans to reinforce staff training for employees to have access to PHI and also strengthen the facility's data security.