- Flint, Michigan-based Singn and Arora Oncology Hematology is notifying 22,000 patients that some of their information may have been accessed in a cybersecurity breach, according to an ABC12 report.
An unauthorized user reportedly accessed one of the organization’s servers between February 2016 and July 2016. However, the practice did not become aware of the incident until August 2016.
Patient names, Social Security numbers, and insurance information were contained in the files. While there is no indication that the data was used for malicious purposes, Singn and Arora explained in its letter that it cannot say with complete certainty that the information was not compromised.
Potentially affected patients are being offered one year of complimentary free credit monitoring services.
10K impacted by unauthorized website access in Calif.
Verity Health System in California recently reported that an unauthorized third party may have accessed the personal information of “more than 9,000 individuals.”
Verity Health detected the access on January 6, 2017, and that it occurred on the Verity Medical Foundation-San Jose Medical Group website. The website is no longer in use but “immediate steps” were taken to secure it. The access reportedly took place between October 2015 and January 2017.
Potentially affected information included patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers. However, full credit card numbers and Social Security numbers were not included. The data was also from 2010 to 2014.
While Verity reported 9,000 affected individuals in its statement, the OCR data breach reporting tool states that 10,164 were likely impacted.
“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” Verity Health CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems going forward. We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”
Verity established a call center to answer questions and will also be offering potentially affected patients one free year of credit monitoring services.
PHI possibly accessed at New Jersey facility
Princeton Pain Management (PPM) announced on its website that certain patient data in a computer server was possibly accessed by an unauthorized third party.
The New Jersey organization discovered the potential access on November 28, 2016, but said that there is no evidence that data was removed from the server.
Affected information likely included names, addresses, telephone numbers, dates of birth, Social Security or Medicare numbers, driver license or government identification numbers, medical and health insurance identifiers, and diagnostic and treatment information.
The OCR data breach reporting tool states that 4,668 individuals were potentially impacted by the incident.
“Upon learning of this incident, we promptly commenced an internal investigation and retained a computer forensics firm to assist in the investigation,” PPM explained in its statement. “Additionally, we have reconfigured various components of our network to enhance security and will be reviewing our security processes and updating system protections designed to help prevent this type of incident from recurring in the future.”
PPM maintained that it is not aware of any fraud or identity theft stemming from the server access. Even so, it cautioned individuals to monitor their credit reports, review their explanation of benefits documents, and to consult the PPM identity theft protection guide.
Break-in at Kansas facility may involve patient information
Wichita, Kansas-based Family Medicine East, Chartered reported that it had an unencrypted desktop computer and printer stolen from its facility on December 8, 2016.
An individual broke an exterior window to get into the building. Family Medicine said that police have not yet apprehended the thief or recovered the stolen items.
Family East determined through backup files that “a significant number contained images of typed office notes dictated by Family Medicine East physicians during 2002 and 2003.” Specifically, patient names, dates of birth, appointment dates, and the name or initials of the physician or PA who saw patients were in the notes.
However, addresses and Social Security numbers were not involved.
Some files may also have contained letters written to other physicians discussing a Family Medicine referral. Patients described in the letters were also identified by name and information about their medical condition.
“[The notes and letters] were typed by transcriptionists engaged for that purpose in 2002 and 2003,” Family East said in its online statement. “The files remained on the computer that was stolen as a result of an employee's oversight, and were not detected during a number of risk analyses undertaken prior to the theft, as part of efforts to secure all individually identifiable health information.”
Family Medicine said it strongly encourages individuals who saw a physician or PA in 2002 or 2003 “to take steps to eliminate or minimize potential harm that could be caused by the theft.” Some of these steps can include obtaining credit reports and monitoring their financial and baking accounts for unauthorized activities.
The organization added that it will be offering complimentary credit monitoring services available to potentially affected patients.
“While Family Medicine East hopes to recover the stolen computer, this may not be possible,” the statement explained. “As part of its ongoing effort to prevent breaches of protected health information, Family Medicine East began the process of encrypting health information stored on laptop computers used by the doctors, PAs and nurses for patient care some time ago.”
All PHI on computers, including on the group’s EMR system, will now be encrypted, Family East said.