- On February 3, 2017, Women’s Care of Somerset (WCS) employees erroneously disclosed the email addresses of all recipients of an informative email regarding health-related services to the other recipients.
According to a written press release, PHI security was not compromised as no personal or financial information of any kind was exposed in the incident besides recipient email addresses.
Following the incident, the healthcare organization conducted an investigation and discovered the error was a result of the use of an unauthorized email distribution method. WCS immediately deleted the emails and enlisted the help of a computer consultant.
The email addresses of 1,806 patients were exposed in the incident, according to the OCR data breach reporting tool. However, the hired computer consultant determined that many of the emails may not have been delivered successfully.
At this time, WCS said there is no evidence to suggest any of the exposed email addresses have been misused. To mitigate further issues, WCS is retraining staff on proper procedure when sending emails.
The healthcare organization has notified all individuals potentially impacted by the incident and requested these patients delete the email.
WCS has also established a toll-free call center to answer any further questions concerned patients may have regarding the breach.
Virginia Mason Memorial employees illegally access patient health records
Virginia Mason Memorial Hospital recently discovered 21 hospital employees inappropriately accessed patient health records from around October 2016 to January of this year.
According to an article in the Yakima Herald, employees improperly accessed the health information of 419 emergency room patients over a period of about three months.
The hospital promptly issued letters informing affected patients of the incident, and revoked patient record access from the 21 employees involved.
In its subsequent investigation, the hospital hired a third-party forensic firm to determine if any patient data has been found on the black market.
So far, there is no evidence to suggest any information has been disseminated on the web.
The hospital’s chief compliance and privacy officer Trent Belliston told the news source that investigators have no reason to believe any employees had any malicious intent in breaching the security of the patient health records.
“No evidence that the information’s being used in an improper way,” said Belliston. “We believe this to be a case of snooping, or individuals who were bored.”
Belliston also stated there is no evidence suggesting this was a targeted attack zeroing in on specific patient’s information.
“It was a wide array of patients and information,” Belliston said.
While the 21 employees involved have been disciplined or terminated depending on the extent of their involvement, hospital CEO Russ Myers stated labor and confidentiality laws bar him from explicitly naming which employees took part in the security breach or how the employees were disciplined.
According to the investigation, employees viewed patient medical and demographic information, but did not access any financial information.
However, Belliston stated it is possible some employees may have accessed patient Social Security numbers as that information would have been available in the patient records.
Due to the potential exposure of patient Social Security numbers, Memorial is providing free credit monitoring for all potentially impacted patients for two years. Additionally, the hospital has set up a call center to offer concerned patients answers to any additional questions.
“There’s the potential for this to happen in a hospital at any point in time,” said Belliston.
Louisiana healthcare organization improperly disposes of documents
Amedisys Home Health of Fayetteville recently discovered two bins intended to transport materials to a paper shredding facility were left in an enclosure behind a local business. The documents containing sensitive information did not reach their destination.
“We believe this is an isolated incident,” an Amedisys representative reportedly said in a press release.
Upon learning of the incident, the healthcare organization hired a document remediation company to recover the documents for inventory purposes. Each document was evaluated to discern if any sensitive health, financial, or personal patient information was exposed in the breach.
It was determined the documents did contain some health information regarding services provided to Amedisys patients, as well as demographic information.
However, Amedisys stated it has no reason to believe any documents were stolen from the bins, and there is no evidence suggesting any of the documents have been viewed by anyone besides the individuals who found the bins.
The healthcare organization has not stated how many patients were potentially impacted by the incident.
In an effort to prevent further issues, Amedisys has sent advisory notices to all potentially impacted patients as well as recommendations for future action concerned patients can take to avoid identity theft.