- Georgia-based Vascular Surgical Associates recently announced on its website that it had experienced a PHI data breach after one of its computer servers was accessed by an outside party.
The incident happened around the time of a software update, according to Vascular Surgical, and an investigation also revealed that a compromised vendor password was used in the process. The facility became aware of the inappropriate access on or about September 13, 2016, but said that the initial server access was acquired around March 25, 2016.
Vascular Surgical explained in an FAQ section on its website that it had “hired vendors with national reputations and significant client bases to support the computer system infrastructure we use to maintain our medical records.” Furthermore, the ONC had certified the software.
“A password that was created by one of these vendors and controlled by that vendor was used to access our system inappropriately,” the FAQ read. “The perpetrators installed software on our system to prevent us from seeing the activity, but once that activity was identified by our internal IT staff, the system access was changed to prevent additional access using that password.”
The OCR data breach reporting tool states that 36,496 individuals may have had their information involved in the incident.
It is likely that the hackers reside in other countries, Vascular Surgical reported. While Social Security numbers and financial data were not stored on the compromised server, medical records and demographic information such as dates of birth and addresses may have been accessed.
“Upon learning of the incident and verifying the unauthorized access through forensic evaluation, we immediately secured the server so that this type of attack could not occur again,” the statement explained. “We are confident that none of our staff had any involvement in this incident, as the compromised password that was used to access the information was only available to our vendors and their staffs.”
Vascular Surgical’s patient portal was not involved or affected, and patient care was also not hindered, the organization stated.
Mailed CD goes missing, contained certain patient information
Aetna Signature Administrators, a division of Aetna, is notifying patients in Texas that some of their information may be at risk after a CD containing the data went missing after being sent through the mail.
The CD was mailed from one Aetna employee to another on September 6, 2016, but it was discovered upon delivery that the CD was no longer in the envelope. ASA realized on September 9 that the CD was gone, and said that it immediately notified the US Postal Service. However, the CD has not been recovered.
The CD contained a report that individuals’ group health plan or group health plan administrator provided to ASA. Data in the report may have included names, addresses, dates of birth, and Social Security numbers.
“ASA takes the privacy of member information very seriously,” ASA stated in its patient notification letter. “To that end, ASA will no longer accept reports from the health plan or their administrator that include Social Security numbers. Additionally, ASA has stopped mailing CDs and has retrained employees on the company’s procedures for handling member information.”
Approximately 3,000 Aetna patients in Texas are being notified, according to the Houston Chronicle.
Miss. facility reports missing laptop with patient information
Mississippi-based Briar Hill Management is notifying individuals that some of their personal information, including health data, may have been compromised after a company laptop was reported missing.
Briar Hill learned on February 26, 2016 that an employee was unable to locate the device. Furthermore, the employee had violated company policy by saving resident health information to the laptop’s hard drive and also did not properly secure the laptop when outside the office.
“We sincerely regret any concern or inconvenience this incident has caused or may cause any of our valued residents and their families,” Briar Hill Management Compliance Officer Sandy Lindsey said in a statement. “We take resident privacy as seriously as we do their care. We want to assure our residents and the community we serve that we will continue to work both to understand this incident and to implement measures to further strengthen our data security.”
Briar Hill explained that resident names, addresses, Social Security numbers, dates of birth, dates of service, prescription information, and medical records may have been on the laptop. However, not all of that information for all affected residents was involved.
The laptop has not yet been located, but Briar Hill noted that its investigation does not show any sign of inappropriate access.
“In response to this issue, Briar Hill Management has taken numerous remedial actions, including sanctioning the employee involved, seeking local law enforcement assistance, and implementing additional security measures for all mobile technology used by its personnel,” the statement read.
The OCR data breach reporting tool states that 2,000 individuals may have had their information affected.
Physical therapy entity reports data breach from vendor
The Biomechanics LLC physical therapy facility in Prescott, AZ recently announced on its website that its billing and claims services vendor experienced a data breach that may affect Biomechanics patients.
Rehab Billing Services (RBS) was notified by one of its support vendors that a data storage account was vulnerable, as it was accessible to persons outside of the office and outside of the support vendor’s organization, according to Biomechanics’ statement.
A Texas-based data security researcher reportedly discovered the data storage account’s vulnerability.
The breach occurred on or around September 11, 2016, and affected patient records from July, 2012 through August, 2014. Biomechanics said it learned of the breach in the weeks following the initial incident.
Affected data may have included patient names, dates of birth, patient addresses, medical imaging records, intake forms, drivers’ licenses, Medicare numbers, insurance cards, prescriptions, progress reports, and claim forms. Bank account information and credit card information were not included.
“RBS reports that the vulnerability was identified and closed. Updated access controls were established and are now in place to secure the data storage account,” Biomechanics explained. “The researcher indicated no intention of releasing patient information, but acted only to determine data vulnerability and not to review or to release data. The Biomechanics LLC no longer uses RBS services for billing and/or claims.”
Approximately 1,000 patients may have had their information affected, according to the OCR data breach reporting tool.