Urology Associates Data Breach (2015)

A Montana urology clinic reported a potential health data breach after it discovered in May that its storage unit that housed patient records was broken into and patient data was possibly accessed. Urology Associates sent data breach notification letters to patients, practice manager Tanna Darling told The Daily Inter Lake. Darling said that "over a few thousand" letters were sent out. However, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) online breach reporting database shows that 6,500 patients were affected and that OCR was notified on July 24. Clinic officials reported that the break-in occurred at the clinic's storage unit in a locked and gated facility, and that it was likely that the unauthorized individual was renting a separate storage unit at the facility and therefore had access to the first gate. "Everything was in disarray, but it honestly didn't look like they took anything," Darling said. Kalispell Police Department Captain Scott Warnell said that the incident is part of a larger trend that is happening across the county, and that the department is making extra patrols on storage units to ensure that unauthorized individuals are not in the area. It was not specified what information was potentially accessed from the storage unit, but some form of PHI was likely involved as the health data breach was reported to the OCR. Moreover, patients whose information was possible accessed will receive one free year of credit monitoring from Urology Associates. Repercussions for health data breaches are likely going to be stronger in Montana, as earlier this year the state updated its data breach notification law to account for medical information. House Bill (H.B.) 74 requires data breach notifications be sent to the state's attorney general and insurance commissioner, and was signed into law on Feb. 27 by Governor Steve Bullock. "Upon discovery or notification of a breach of the security of a data system, a state agency that maintains computerized data containing personal information in the data system shall make reasonable efforts to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person," the law states. Montana Attorney General Tim Fox wrote a letter to the editor in The Montana Standard when the bill was passed, saying how pleased he was that changes were made. "HB 74 requires a single notification to my Office of Consumer Protection when those breaches occur," Fox wrote. "It's my hope that by giving us notice of these breaches, we can better mobilize my team to assist consumers and even recommend ways to prevent such breaches in the future." Overall, there has been an increasing debate recently in how data breach notification laws should be handled. State Attorneys General recently wrote a letter to Congress, saying that it is essential that any federal data breach notification laws do not preempt state laws. The National Association of Attorneys General (NAAG) said in its letter that many current state data breach notification laws have more protections than proposed federal legislation, and that states need to have the ability to enact and enforce state breach notification. "As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy," the group wrote. "States have been able to amend their laws and focus their enforcement efforts on those areas most affecting consumers."