- Arkansas-based Baxter Regional Home Health Facility (Baxter Home Health) announced that certain patients and employees may have had some of their information exposed in a data security incident that took place in August 2016.
Baxter Home Health learned on August 5 that a break-in took place at its Cotter facility overnight. The Cotter location contained hard copy files that could have been accessed by the unauthorized individuals.
“We have no information to suggest that any records were viewed or removed from the facility, and none of our electronic records or computer systems were impacted,” Baxter Home Health said in its statement. “We are nonetheless providing notice to potentially-affected patients and employees out of an abundance of caution.”
The patient information that may have been affected includes names, addresses, phone numbers, dates of birth, Social Security numbers, government identification numbers, insurance identifiers and diagnostic information. Employee information may have included names, addresses, phone numbers, dates of birth, licensure information, and information about previous employers.
Law enforcement was contacted, and Baxter Home Health added that it completed an internal investigation and assessment of its own security practices.
“We are currently working to increase security measures at the facility, and to that end, have changed locks and will be installing cameras and alarm systems to better secure this facility,” the facility explained.
Baxter Home Health did not specify how many individuals were potentially affected, but the OCR data breach reporting tool states that 2,124 may be impacted by the incident.
R-C Healthcare Breach affects Illinois facility
An Illinois hospital recently added its name to the list of healthcare organizations affected by the R-C Healthcare Management data breach.
Northwest Community Hospital (NCH) reported that 550 of its patients may have had their information exposed in the vendor breach, according to a Daily Herald article.
R-C Healthcare made nonclinical patient information potentially accessible online from April 18 through June 13.
While it is unclear if any NCH patient information was stolen, the potentially affected data included full names, dates of service, amount due, amount collected and Social Security numbers.
"We sincerely apologize and regret that this situation has occurred, and we are taking significant steps to ensure this type of incident does not occur again," NCH said in a statement.
Veterans claims documents discovered in employee storage unit
The Virginia Department of Veterans Services (DVS) announced last week that veterans claims documents were included in the documents recently discovered in a former DVS employee’s storage unit.
DVS said in its statement that the exact amount of claims discovered was not known, but that they all appeared to be dated between 2011 and mid-2015, and exclusively from the DVS benefits office at McGuire VAMC.
Technical experts are reviewing all the materials, DVS reported. They will work to determine the number of impacted veterans, their identities and the status of their claims, but it “will take a number of weeks to complete.”
The agency’s director of benefits, Thomas Herthel, told the Richmond Times-Dispatch that 20 to 30 boxes of documents were recovered and included “everything from claims to medical records to miscellaneous correspondence.”
DVS explained that the former employee in question worked at the agency from January 2012 until August 25, 2015. Unfiled claims were found in the individual’s office in August 2015.
“Those claims were reviewed, and DVS contacted affected veterans to advise them and provide assistance,” DVS stated. “DVS terminated the employee at that time and has since assigned a new office manager for that location.”
Secretary of Veterans and Defense Affairs John Harvey said that he was deeply concerned about the veterans whose information was mishandled, and that his team is working to ensure those veterans receive the necessary benefits.
“At the beginning of this administration, we identified a vulnerability in the Commonwealth’s claims process, and we began implementing a solution to this serious deficiency,” Harvey continued. “Regrettably, our fears were justified, and the danger we were working so hard to address was already a reality. We stand ready to assist any and all veterans impacted, and we are determined to prevent any similar mishandling of information from happening in the future.”
Error with patient satisfaction surveys leads to data security issue
The University of Wisconsin-Madison health system, UW Health, explained in a statement that a recent mailing error may have exposed a limited amount of patient information.
Patient satisfaction surveys were recently mailed out between July 29, 2016, and August 2, 2016. On August 3, UW Health said it became aware “that the survey and cover letter were mailed to the patient in an envelope mistakenly addressed with the prefix: ‘To the parent or guardian of [patient's name],’ rather than directly to the patient.”
“The enclosed cover letter was accurately addressed to the patient, and included the name of the healthcare provider that treated the patient,” the statement read. “We were able to determine that the cause was an improperly formatted computer file and quickly prevented any further misaddressed mailings from being sent to our patients.”
According to the OCR data breach reporting tool, 6,923 individuals were potentially affected by the incident. UW Health maintained that “only some patients who came to one of our facilities or clinics and received the letter.”
UW Health added that it has re-educated staff members to ensure that the same type of incident does not happen again.
Email error creates privacy breach at Illinois company
An Illinois-based medical products and services company recently announced that it had experienced a privacy breach that potentially affected 992 individuals.
Baxter said in an online statement that human error led to an email being sent out on September 15, 2016 that included individual email addresses for all intended recipients in the ‘To’ field of the message. The individuals were being asked to participate in a product-specific Patient Advisory Council.
Baxter said that no other personal or health information was involved in the isolated incident. The facility became aware of the email error on September 16, and then attempted to recall it.
“The company has extensive security measures in place to protect against the loss, misuse, and alteration of any personal information,” according to the statement. “Baxter’s information security program includes policies, compliance systems and employee training, and the company enforces appropriate use and protection of the company’s information and technology.”
Additional safeguards are currently being evaluated to ensure that this incident does not happen again, Baxter added.