- Wyoming Medical Center has reported on their website a potential healthcare data breach due to a phishing scam.
Approximately 3,184 individuals were notified by the medical center that their PHI may have been accessed by an unauthorized user.
In February, the medical center discovered that an outside entity had gained access to two email accounts in the organization.
The entity had first sent a phishing email to one employee. After the employee opened the scam email, the third party was able to use the employee’s account to send more phishing emails to other staff.
One other email account was compromised, which caused the outside entity to have access to the organization’s email for 15 minutes.
The email accounts contained information on hospital purchasing, wound care, and patients who were on isolation precaution.
PHI that was potentially exposed included names, medical record numbers, dates of hospital services, account numbers, dates of birth, and some medical information.
EHR systems were not compromised, the medical center confirmed in its statement.
In light of the security event, Wyoming Medical Center has notified affected individuals of the possible healthcare data breach. The medical center has also reviewed its security policies, especially in regards to email safeguards.
Kaiser Permanente reports stolen vehicle, possible PHI exposure
A stolen truck has resulted in a potential healthcare data breach for Kaiser Permanente, a healthcare system based in California.
Between March 12 and March 14, a mail delivery truck containing the health information of approximately 2,400 individuals was stolen from a parking lot, reported The Press Enterprise. Despite Kaiser Permanente’s mail delivery procedures, the truck was not parked in a secure area.
The truck was carrying "Evidence of Coverage” handbooks for Kaiser Permanente patients who are on the Inland Empire Health Plan. The handbooks included some personal information, such as names, addresses, and an overview of plan benefits.
The healthcare system reported the stolen vehicle to local law enforcement officials. The vehicle was found, but the health information was not in the truck. The report did not disclose where the vehicle was discovered.
Kaiser Permanente stated that there is no evidence that PHI has been used in inappropriate ways, such as identity theft. The healthcare system also confirmed that the mail did not include Social Security numbers, medical record numbers, descriptions of health services, health statuses, and financial information.
“We are in the process of notifying and apologizing to our members affected by this incident,” officials said in a statement. “We have investigated this matter and are taking appropriate steps to prevent similar errors in the future.”
Medical center notifies 3,118 patients of security incident
A potential PHI data breach at the Vail Valley Medical Center (VVMC) in Colorado has compromised the health information of 3,118 individuals, according to the OCR’s data breach portal.
On February 16, the medical center discovered that a former physical therapist at its sports medicine office inappropriately copied physical and occupational therapy records to two USB storage devices, reported VVMC in a notification letter. The former physical therapist was still employed at the medical center when he made the copies in December 2015.
The former employee took the USB devices upon leaving VVMC for a position at another employer.
Upon investigation, the medical center obtained the storage devices and a signed document that the former employee does not have any other copies of patient information.
The patient records on the USB drives contained names, ages, dates and amounts of payments, diagnoses, conditions, therapy treatments, test results, and progress information. They did not include Social Security numbers, dates of birth, addresses, or financial information, confirmed the medical center.
VVMC has mailed notification letters to affected patients and it encouraged all patients to monitor their credit reports and financial accounts.
To prevent future security incidents, VVMC has implemented several security measures.
“Specifically, VVMC has implemented tools to restrict employees’ ability to move or copy files from VVMC’s network to electronic storage devices,” explained the press release. “We are developing further the tools we use to monitor our network for suspicious activity.”
Additionally, the medical center has provided mandatory training to staff on HIPAA compliance, developed a Health Information Manager position, and updated its privacy policies.
Mailing error causes healthcare data security incident
American Fidelity, a health insurance company, has announced a healthcare data security incident resulting from a mailing error.
According to an official press release, debit card substantiation letters were mailed to some customers on February 15. Soon after, the health insurance company discovered that some customers were mailed information that was meant for another individual.
The letters detailed the debit card usage for recent flexible spending. Information that may have been exposed included names, addresses, employer names, employer ID numbers, last four digits of debit card numbers, dates of service, healthcare provider names, and payment amounts.
The OCR data breach portal reported that 2,664 individuals were affected by the mailing error.
Customers who received the financial and personal information of another individual are encouraged to contact American Fidelity and it will arrange to retrieve the letter, explained the press release.
The health insurance company has mailed affected customers a notification letter of the possible data breach. In the letter, American Fidelity has offered affected customers complimentary credit monitoring and identity protection services for a year.
Affected customers can also contact the company’s privacy officer with any questions regarding the reported event.
“American Fidelity has concluded that this incident was a result of human error, and has taken steps to prevent this from happening in the future,” stated the press release.