For immediate release:
April 14, 2016
(Oneida Reservation) – The Oneida Nation is providing this public notification in compliance with federal law. On February 17, 2016 a flash drive containing the limited details of dental patient information was internally stolen from our dental offices at the Oneida Health Center located at 525 Airport Drive, on the Oneida Reservation.
The theft was discovered the same day and law enforcement was immediately notified. Since that time, the police and internal investigation have been ongoing. Although law enforcement investigated the situation, the flash drive has not been recovered.
It has been determined that the flash drive contained the following limited dental information for 2700 patients seen between 02/07/15 through 02/17/16:
- Dental patient identification number
- Date(s) of visited (between the above dates)
- Dental insurance identification number, if applicable.
Although the dental information taken was extremely limited and there is no information to suggest it was used or disclosed for inappropriate purposes, there are various steps affected individuals (and the public, generally) are able to take to protect themselves from medical identity theft, or identify theft:
Various warning signs of identity theft and steps to take if information is lost/ stolen is located at: https://www.identitytheft.gov/;
The warning signs for medical identity theft are also located at: https://www.consumer.ftc.gov/articles/0171-medical-identity-theft.
We recommend affected individuals notify their dental insurance company, if applicable, of this incident because the dental insurance identification number was involved. Dental Insurers may be able to place the identification number on a list of compromised numbers, etc.
If affected individuals have broader concerns regarding their information, they may also contact one of the three major credit bureaus (below) to place a fraud alert on their credit report. Once one credit bureau confirms the fraud alert, the other two credit bureaus will automatically be notified to place alerts. All three reports will be sent free of charge:
Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA, 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Affected individuals and the general public are reminded of the importance of safeguarding personal information in all forms of media and to use diligence if receiving inquiries requesting personal information.
To prevent a reoccurrence of this type of isolated internal incident, we are implementing the following measures: Reviewing and implementing administrative procedures regarding the use of flash drives and implementing appropriate technological safeguards concerning their security and storage.
Notification in accordance with federal law has been provided to affected individuals. Throughout the entire investigation, there has been no information developed to suggest that our patient dental information was used or disclosed for inappropriate purposes.
Please note- this isolated incident did not involve any other personal identifying data, financial information, social security information, claims information, or any other diagnosis/ treatment information. The information taken was limited to very specific dental information and did not involve information from any other departments within the Oneida Health Center. If you feel you may have been affected by this incident and have questions or concerns, please contact Dave Larson, Director of Ancillary Services, at (920)869-2711 or email email@example.com at your earliest convenience.
Oneida Health Center Dental Data Breach Frequently Asked Questions
My letter said “private information was released”, what information of mine was released?
Response: The dental information that was involved included:
- Patient name
- Dental Identification number
- The date(s) the patient visited the dentist (within the time period dated Nov 2015 to Jan 2016)
- Dental insurance identification number if applicable-Note: this is not your dental insurance carrier number but a number unique to the insurance and our facility only.
This was an isolated incident and did not involve any other personal identifying data, financial information, social security information, claims information, or any other diagnosis/ treatment information.
The breach happened February 17, 2016, why am I just now finding out about this?
Response: The breach occurred on February 17. Since February 17, there has been an ongoing internal and external investigation involving Comprehensive Health and Internal Security and the Oneida Police Department. Notifying anyone sooner may have jeopardized any ongoing investigation. Notification occurred within the timeframe required by Federal Law.
Why is Dave Larson the contact person and does this mean that the “higher ups” don’t know about this situation?
Response: Dave Larson is the “Privacy Officer” for the Health Division. The Division Directors and the Oneida Business Committee are aware of this situation and have been kept informed of the situation since the onset.
Who made the determination as to who would receive notification letters? Was specific criteria was used to determined who received letters?
Response: The determination of who would receive notification was based upon the Federal requirements in accordance with legal representation and the Privacy Officer recommendations. Patients were notified based upon an electronic report that was generated based upon those patients that received services and were included in the data that was saved to the jump drive device.
How was MIS able to determine what information was downloaded onto the drive?
Response: MIS did not determine what information was downloaded onto the drive. The Investigation and employee interview(s) confirmed what information was contained on the jump drive. A total of 2734 patients were impacted.
How were the drives secured at the time of the breach and what has changed to ensure the same type of incident will not occur again?
Response: There was only one jump drive that was stolen from a dental office. The jump drive was stolen from a Supervisor’s computer when the Supervisor was not in the office. Although HIPAA training occurred shortly before this incident, all HIPAA policies have been reviewed with all staff since this incident. Additionally, administrative safeguards have been implemented regarding the use of jump drives and other external storage devices and appropriate technological safeguards concerning their security and storage in collaboration with MIS and the Health Division is being explored and utilized.
If the Drive only had our name and dental id number on it why was the credit bureau information provided in the letter?
Response: Federal law requires affected individual be informed of any steps individuals should take to protect themselves from potential harm resulting from a breach. Although this is appears to be an isolated incident, not involving data such as financial information, social security information, claims information, or any other diagnosis/ treatment information for any of the patient information involved, the Credit Bureau information was provided as a courtesy to those patients that were impacted. We know how alarming the notification may be and that there is a strong interest in protecting sensitive personal information. We wanted to be sure that this information was readily available to our patients, if they wanted the information
Who do I talk to if I have further concerns?
Response: For further information and assistance, you may call Dave Larson, OCHD Privacy Officer and Director of Ancillary Services at: (920) 869-4820 use (800) 869-2711 or email him at: firstname.lastname@example.org