Onsite Health Diagnostics (OHD), a Tennessee government subcontractor, recently released a notice to local government employees explaining how their data may have been compromised when an unknown party inappropriately accessed OHD’s online scheduler in early 2014.
According to the OHD notice, the source gained access to 60,582 employees’ data, such as name, date of birth, address, email address, phone number and gender from January 4, 2014 to April 11, 2014. But no financial information, Social Security numbers or medical data was included in the breach. OHD had this employee information in the first place because it conducts employee health screenings for state health plan members.
OHD learned of the breach on April 11 and has collaborated with security and forensics experts to determine how access to the data was gained. OHD said the affected system has not been in use since Fall 2013 and a new scheduling system has since been used and additional security controls have been implemented on that system.
OHD and investigating authorities are unaware of any identity theft related to this incident, but out of an abundance of caution, OHD has mailed letters to the affected health plan members to ensure that they are aware of the incident and can take steps to protect their information. OHD will provide one free year of identity theft protection to affected group health plan members.
The notice on the Tennessee Benefits Administration site added that the breach doesn’t fall under HIPAA regulations because of the type of data involved.
While this information did not contain any diagnosis or medical information, the state has determined that, because it is related to our members’ health benefits, the disclosure of name, address, email address, phone number and gender does fall under the HIPAA definition of a breach of protected health information. The state has notified the Secretary of HHS of a Breach of Unsecured PHI.