- On August 24, 2012, a Multnomah County Health Department employee automatically forwarded all emails from an employee county email account to a personal Google email account not maintained by the Oregon county. Some of these emails included PHI, which may have created a PHI breach, according to the department’s online statement.
Multnomah County employees discovered the incident on November 22, 2016 during an audit. An investigation began and found no evidence that messages in the personal email account were misused in any way.
After the investigation, county personnel concluded the personal email account had since been deleted and was no longer available to the employee.
Some email attachments in the account contained PHI because the employee account was attributed to a member of the Health Department. The potentially accessed information may have included individuals’ names, medical record numbers, prescription numbers, diagnoses, and dates of service
The OCR data breach reporting tool reported that 1,700 individuals were potentially affected.
There is no indication any patient’s Social Security number, home address, or phone number was accessed.
Multnomah County and the County Health Department are monitoring any activity involving patient information at this time and are attempting to increase protections of personal information in response to this incident.
“We have policies and procedures for handling personal information which were reviewed with the staff member involved in this incident,” the department explained. “We are also reviewing controls, business practices and policies to increase protections of personal information in response to this incident.”
California practice suffers email hack
On December 9, 2016, foot and ankle surgeon Jay Berenter’s office suffered an email hack where some patients received an email that the office employees claimed not to have sent.
The email alerted Dr. Berenter’s contacts that the office had a DocuSign document waiting for their review. Dr. Berenter’s office issued an email immediately after informing patients not to access the DocuSign email.
Dr. Berenter’s office also immediately took action to secure the email account and promptly hired forensic IT specialists to determine exactly what happened and whether any of the office’s other systems were affected. The organization’s online statement said that the fraudulent activity was determined to be limited to the email account only.
Potentially accessed information includes patient registration forms, prescriptions, and patient names.
The ONC data breach reporting tool stated that 569 individuals were possibly affected.
Dr. Berenter has since hired forensic IT specialists to investigate the situation further and ensure no electronic medical records were accessed. The office is adopting a new email system and implementing additional internal administrative steps to inhibit a similar hack from occurring in the future.
Federal agencies including the California Attorney General and the Federal Department of Health and Human Services were made aware of the incident.
While there is no evidence to support the possibility that any patients information has been misused in any way, Dr. Berenter’s office has provided contact information for those who fear their information has been put at risk.
Ohio data breach potentially impacts 1.5K
Ohio-based Vision Source recently announced that it experienced a data security incident on December 12, 2016 that may have left patients’ PHI vulnerable.
Local police discovered that a storage unit used to hold current and former patients’ documents had been broken into. The police investigation found seven boxes holding patient documents had been stolen from the site.
Approximately 1,500 individuals were possibly affected by this incident, according to the ONC data breach reporting tool.
These documents have since been recovered and accounted for, and there exists no evidence the documents were misused in any way, according to the organization’s online statement.
The potentially accessed documents may have contained sensitive information including patient names, addresses, Social Security numbers, and some medical information.
Vision Source has since reviewed and assessed the damage attributed to the stolen documents, which is allegedly minimal.
In an abundance of caution, the organization said it has emailed potentially impacted patients about the incident and enlisted the help of Kroll to provide identity monitoring at no cost to affected patients for one year.