The health center at Lane Community College in Eugene, Ore., is notifying patients that their protected health information may have been compromised after finding one of its computers was infected with a virus for 11 months.
The local newspaper, The Register-Guard, reports that about 2,500 patients are receiving notifications via letters.
The virus was found during routine maintenance in early February and is not believed to have transmitted patient information to a third party, according to a statement from the clinic. “This computer was not connected to any other computer in the clinic, and there is no evidence that any patient information was transmitted,” the statement noted.
Patient data at risk included names, dates of birth, addresses, phone numbers, Social Security numbers and diagnoses.
Despite the sensitivity of this information, the clinic statement did not indicate that it would be offering credit or identity protection services. The clinic did not respond to a request for information on whether protective services were being offered.
Rather, the clinic has advised patients to report the breach to credit bureaus, banks and credit card companies; request a free credit report from one of the bureaus; place a fraud alert with one of the bureaus; contact local authorities; and file a police report if suspicious account activity is noticed.
Rebecca Herold, President at SIMBBUS LLC, a privacy/security cloud services firm and CEO at The Privacy Professor, a consultancy, notes that patients increasingly are on their own to clean up the mess of a breach.
"In general, offering credit monitoring for 1 to 2 years was the common de facto standard for breached businesses to provide over the past 10-15 years or so,” Herold says. “However, now businesses are either offering it to those who explicitly want it, or just not offering it at all. It is still a good thing to do; it demonstrates goodwill and caring by the breached organization. HIPAA/HITECH does not require such credit monitoring or other services to breach victims, so the clinic won't be sanctioned for HIPAA non-compliance for not offering such services."