"CalOptima reports that its claims imaging vendor,
ImageNet, accidentally sent out unencrypted DVDs that contained claims
from 68,000 of its members. The DVDs were sent to CalOptima via
certified mail, but never reached CalOptima. CalOptima actually posted
this information and identified ImageNet on itshome page."
CalOptima calls it the "potential loss of past medical claims information for approximately
68,000 of its members that was stored on electronic media devices." CalOptima reported that the information potentially breached
included: member names, home
addresses, dates of birth, medical procedure codes, diagnosis codes and
member identification numbers, including some Social Security numbers.
CalOptima provided a toll free number for their members to call.
will be interesting to see how this situation develops.
Regardless of how you analyze it, this magnitude of a breach requires implementation of the Breach Notification Rules that went into effect September, 2009. The HITECH Act, Section 13402 rules call for:
Notification to individuals whose PHI was breached.
Notification to media outlets serving the state or jurisdiction, if unsecured PHI of more than 500 individuals is believed to have been disclosed.
Posting on HHS Public Website.
Notification must include:
A brief description of what happened, including the
date of the breach and the date of the discovery of the breach, if
A description of the types of unsecured protected
health information that were involved in the breach (such as full name,
Social Security number, date of birth, home address, account number, or
The steps individuals should take to protect themselves from potential harm resulting from the breach.
A brief description of what the covered entity
involved is doing to investigate the breach, to mitigate losses, and to
protect against any further breaches.
Contact procedures for individuals to ask questions
or learn additional information, which shall include a toll free
telephone number, an e-mail address, Web site, or postal address.
For more information on HITECH / HIPAA Privacy and Security Rules go to The HIPAA Survival Guide website or sign up for Digital Business Law Group's free monthly compliance newsletter. Discussion/Social Networking sites containing information regarding the HIPAA Survival Guide include Facebook and LinkedIn groups.
Note: We will start conducting HITECH / HIPAA Risk Management Webinars beginning in January, 2010 that may also be of interest. These webinars will be managed as a forum of "round-table" discussions on the pertinent issues, with many opportunities for audience participation and questions.