- PruittHealth, a healthcare system in South Carolina, has investigated two break-ins at separate locations that may have resulted in PHI breaches.
According to a public notice on its website, the healthcare system was notified of two break-ins at its Home Health-Low Country and Hospice-Beaufort locations. While no medical records were stolen in either case, the thieves may have inappropriately viewed patient files.
The statement reported that unauthorized entities had entered the PruittHealth Home Health-Low Country location on March 2 by breaking the front door glass. PruittHealth stated that only petty cash was missing from the office, but the thieves did have the opportunity to access paper medical records.
Although it did not appear that the entities had taken or even viewed the documents, the healthcare system reported that there is a possibility that patients may have had their personal information exposed by the event.
In a separate healthcare data security incident, thieves had broken into the PruittHealth Hospice-Beaufort office on April 11 by breaking the glass of a side window. The perpetrators also managed to break into patient file cabinets that contained paper medical records.
The healthcare system explained that it did not appear as if the thieves had pulled out any documents from the cabinets or taken any records.
While the perpetrators reportedly did not disturb any patient files, individuals may still have had their PHI disclosed in both events, including names, addresses, Social Security numbers, dates of birth, dates of services, locations of service, and other clinical information.
After discovering both break-ins, PruittHealth contacted the Beaufort Police Department and stated that it continues to cooperate with the investigation. It has notified all affected individuals by mail.
The healthcare system has also taken additional steps to further secure its offices, the public notice read.
Approximately 1,437 individuals were affected by the burglary at the hospice office, according to the Office of Civil Rights data breach webpage. Neither the statement nor the OCR’s website disclosed how many individuals were impacted by the other break-in.
MA hospital notifies patients of potential vendor healthcare data breach
Some dental practice patients at Massachusetts General Hospital may have been affected by a potential healthcare data breach involving a third party vendor.
In a statement on its website, the hospital reported that Patterson Dental Supply Inc, a vendor that provides dental practice information management software, notified them of a hacking incident that may have exposed some of the hospital’s patient files.
On February 8, the vendor discovered that unauthorized entities had gained access to its systems, including some that contained patient information. Patient files impacted by the incident contained names, dates of birth, Social Security numbers, medical record numbers, dates and types of dental appointments, and dental provider names.
The hospital added that the intruders did not access any of its systems or any files managed by the hospital.
Patterson Dental Supply Inc contacted local law enforcement officials, who launched an investigation into the hacking event. Law enforcement officials asked Massachusetts General Hospital to withhold notifying potentially affected patients and releasing a public statement until the investigation was over.
On May 26, the hospital received permission to contact impacted individuals and it mailed notification letters to all affected patients on June 29. Massachusetts General Hospital also created a call center to answer any questions about the healthcare data security incident.
The statement did not disclose how many individuals may have been affected by the potential healthcare data breach.
The hospital also released details on its efforts to prevent other patient privacy violations.
“We are committed to the security of sensitive information maintained by our third-party vendors and are taking this matter very seriously,” explained the statement. “To help prevent this type of incident from happening again, PDSI [Patterson Dental Supply Inc] took steps to enhance the security of its systems that maintain dental practice data.”
Missing report leads to patient privacy violation at VA medical center
The Veterans Affairs Medical Center in Washington DC has notified 1,062 individuals of a possible data breach after an alleged theft, according to the OCR’s website.
In a statement, the Department of Veterans Affairs reported that it’s privacy office was contacted on March 31 regarding a missing controlled substance monthly report. The document contained personal information on veterans, including first and last names as well as full and partial Social Security numbers.
The department has notified all affected individuals via mailed correspondence and included instructions on credit monitoring and methods for protecting privacy. It also stated that “appropriate actions are being taken to protect their [affected veterans] identities.”
Additionally, the department addressed how it will prevent similar incidents.
“The Washington DC Veterans Affairs Medical Center takes matters such as this very seriously and has implemented new procedures to reduce the possibility of this type of incident in the future,” explained the statement.
Employee with fake nursing license causes possible healthcare data breach in CA
A former healthcare care manager who was going by a fake name and had a falsified nursing license has caused a potential healthcare data breach at a California-based medical center.
Mercy Medical Center Redding, a Dignity Health organization, stated on its website that it been notified by its business associate, naviHealth, on June 6 that a former employee had inappropriately accessed patient information. The medical center uses naviHealth to help carry out patient support after an individual leaves the medical center.
The business associate discovered that a former case manager had been working under a fake name and nursing license between June 2015 and May 2016. The individual had access to patient information as part of his primary responsibilities at work, including standard clinical information, patient data, and health insurance account information.
Upon discovering the incident, naviHealth terminated the employee and his computer access. The company also contacted law enforcement officials.
Patients who visited Mercy Medical Center Redding between June 2015 and May 2016, may have had certain PHI, such as names, addresses, phone numbers, Social Security numbers, dates of birth, emails, medical record numbers, account numbers, and dates of medical services exposed. The former employee may have also accessed diagnoses, lab results, medications, dates of treatment, provider notes, group health plan numbers, and member IDs for some patients.
As a result of the possible healthcare data breach, naviHealth has reviewed all calls made by the former case manager to ensure content and clinical accuracy. The company has also recently verified nursing licenses and identifications for all its employees as well as implemented a more thorough screening process for potential employees.
Mercy Medical Center Redding has mailed letters to all affected individuals and provided resources on identity theft protection.
Approximately 520 individuals were impacted by the healthcare data security event, reported an article on ActionNewsNow.com.