Another health care data breach was just reported this week, this time it was Milwaukee City employees who were the victims. The breach happened after a Dynacare employee’s car was stolen. In the car was the employees’ purse that had a flash drive in it containing personal health care information (PHI) the Milwaukee Journal Sentinel reports.

The city handed the data over to Froedtert Health, a public health organization. Foredtert Health then passed the data along to Dynacare who they have their clinical laboratory needs contracted out to. The stolen flash drive contained the names, addresses, DOB, genders and social security numbers of 6,000 employees, as well as an additional 3,000 spouse/partners names. The data was stolen on October 22 and was not reported by Dynacare to the city until November 15th. Apparently they reported the breach to Health and Human services prior to the city, but the city is still very upset at the late notice. What is most concerning is that fact that the data was given to Froedtert encrypted, but it was not encrypted as it changed hands down the line.

Being that this breach was just reported it is still unknown just how bad this could turn out and how much it will end up costing the involved parties. In our blog last week, University Health was responsible for providing credit monitoring and identity theft for one year to those individuals whose data was lost. Providing this service is pretty commonplace, it is safe to assume that they will responsible for providing similar services at the very least. Costs can add up quickly, so there is a strong possibility that they will be on the hook for more.

This is simply another case of not having a proper procedure from beginning to end. While the data did not walk off from the facility, it might as well have. There needs to be a strict process in place that all vendors and third party business associates need to follow. This process needs to be enforced and adhered to every step of the way. It doesn’t matter who is the most responsible for the breach, all parties involved are responsible in the end, and it’s their patients that are taking a hit.