- A California-based cancer research and treatment center recently announced that some patient PHI may have been compromised in a phishing attack.
City of Hope reported on its website that four staff members had their email accounts accessed by an unauthorized party due to a phishing attack that took place during the week of January 18, 2016. Three of those accounts included emails that contained PHI, such as patient names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers and some clinical information such as diagnoses, test results and dates of service.
“It does not appear that the phishing attack targeted protected health information; instead, it appears the accounts were accessed for the purposes of sending spam emails to other individuals,” the statement explained. “City of Hope is sending notification letters to the affected patients, and is taking all appropriate steps to mitigate any potential harm to affected individuals.”
For most of the affected patients, only their name and medical record number were affected. Moreover, City of Hope added that with the exception of one patient’s information, Social Security numbers and financial information were not affected.
“City of Hope took prompt action to secure the email accounts and end the intrusion,” the center stated. “In addition to notifying local law enforcement, City of Hope retained a leading forensic information technology firm to assist with its investigation of the incident, to evaluate its systems and processes and further strengthen its safeguards to protect against such attacks.”
The statement did not disclose how many individuals were potentially affected, and the OCR data breach reporting tool did not have anything listed at the time of publication.
Other recent potential data breaches included cases of unauthorized third-party access and mistakenly distributing documents through the mail.
Oncology database inappropriately accessed, personal information affected
21st Century Oncology recently announced that one of its databases was inappropriately accessed by an unauthorized third party.
The FBI told 21st Century on November 13, 2015 that the incident took place, and the oncology center “immediately hired a leading forensics firm to support [the] investigation, assess [its] systems and bolster security.”
The forensics firm then determined on the intruder may have accessed the database on October 3, 2015.
Potentially compromised information includes patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information. There is no indication that medical records were accessed, according to 21st Century.
The FBI requested that there be a delay in data breach notification, the statement explained, so as to not interfere with the federal investigation.
“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century stated. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”
While there is no indication that the information was misused, potentially affected patients are still being offered one year of free credit monitoring services. Moreover, the facility cautioned that patients closely monitor their explanation of benefits that they receive from their health insurer to make sure that they have received all of the services listed.
“We deeply regret any concern this may cause our patients, and we want to emphasize that patient care will not be affected by this incident.”
Medical payment data exposed by Iowa DHS mailings
Medical payment data and other personal information was inadvertently exposed through improper mailings, the Iowa Department of Human Services (DHS) acknowledged last week.
Approximately 425 individuals were affected by the mailings, which were sent out to 12 nursing home facilities in December.
“We are not aware of any information being misused and we apologize for any inconvenience or concern this caused the individuals whose information was inadvertently shared with another nursing facility,” Amy McCoy, a spokeswoman for the Iowa DHS told the Des Moines Register.
DHS became aware of the incident on January 22, 2016, and letters were sent out to individuals on February 12, 2016.
Potentially exposed information includes names, insurance or government program information, name of the current facility where the individual resides and Medicaid state identification.
“The chance that personal health information sent to a HIPAA-covered entity could be misused is minimal, but we take steps to ensure that the information is destroyed, and that individuals are notified and understand what resources are available if they have concerns,” McCoy added.
All of the nursing home facilities reported that the information had been shredded.