- The Pain Treatment Centers of America (PTCOA) and Interventional Surgery Institute (ISI), a healthcare network in Arkansas, has reported a potential PHI data breach after a vendor notified them of a hacking incident.
According to OCR’s data breach portal, an estimated 19,397 individuals were possibly affected by the data security incident.
In its HIPAA notification letter, PTCOA and ISI explained that they use an EHR and healthcare practice management tool that is operated by Bizmatics, a third-party vendor. The tool manages patient files and contains the medical records of all its patients.
Bizmatics notified PTCOA earlier this year that its data servers, which store customer records, were accessed by an unauthorized outside party. The vendor became aware that hackers had gained access to its system in late 2015.
After discovering the security incident, Bizmatics collaborated with law enforcement officials and a cyber forensics firm to investigate the possible healthcare data breach. Bizmatics reported that the hacking incident has been contained and the affected systems are secured.
“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics,” wrote PTCOA and ISI. “Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”
PTCOA and ISI have mailed letters to affected individuals and established a call center to field questions about the possible PHI data breach. They have also provided affected patients with one free year of credit monitoring and identity protection services.
In a likely related incident, Bizmatics was also involved in another potential healthcare data breach with a different client. Complete Family Foot Care in Nebraska reported that 5,883 patients were affected by a possible PHI data breach caused by unauthorized access to Bizmatics servers.
The servers also contained the EHR information from Complete Family Foot Care.
Stolen flash drive causes healthcare data security incident
A dental clinic in Wisconsin recently announced a potential healthcare data breach after a flash drive containing patient information was stolen.
Oneida Health Center discovered that a flash drive that stored dental information on patients was stolen from its office.
Information that was potentially exposed included names, dental patient identification numbers, dates of visits, and dental insurance identification numbers. Financial information was not contained on the flash drive, confirmed Oneida Health Center.
According to the press release, the incident affected approximately 2,700 individuals who visited the clinic between February 7, 2015 and February 17, 2016.
Onieda Health Center stated that the patient information was limited and there have been no indications that the data was misused or inappropriately disclosed. However, affected individuals should notify their dental insurance companies and check for identity theft.
In response, the health center launched an investigation with local law enforcement. It also notified all affected individuals of the security incident.
“To prevent a reoccurrence of this type of isolated internal incident, we are implementing the following measures: Reviewing and implementing administrative procedures regarding the use of flash drives and implementing appropriate technological safeguards concerning their security and storage,” explained the press release.
CVS notifies patients of possible healthcare data breach
CVS recently notified some Alabama customers that a stolen laptop may have inappropriately disclosed patient information.
On March 22, CVS was notified that a laptop was stolen from a vendor, according to a report by AL.com. The laptop contained customer information on individuals who had filled prescriptions at the CVS Store at 8370 Highway 31 in Calera.
Patient names, addresses, telephone numbers, prescription names, prescription numbers, and dispensing dates were potentially exposed by the security incident. CVS confirmed that no financial information was on the device.
While the laptop was password-protected, the vendor had not encrypted the patient information. By not securing the data, CVS reported that the vendor violated its agreement.
The vendor also did not have access to customer information at other Alabama stores, but it may have access to data at stores in other states, explained CVS. However, the laptop only had information from the Calera location.
“Nothing is more central to CVS Health's health care operations than maintaining the privacy of its patients' personal information and the Company sincerely apologizes for any inconvenience or concern,” said CVS in a statement.
The report did not state how many individuals were affected by the potential healthcare data breach.
CVS is working to notify all affected individuals and encourages affected customers to call with questions about the reported security event.
“Based on our thorough review of this matter, we believe this incident is an isolated issue which was not caused by lack of internal controls or other systemic issues,” said CVS spokesperson Mike DeAngelis. “The vendor will further enhance its internal controls to prevent similar issues in the future.”
Unauthorized access causes potential PHI breach in TX
Unauthorized access to an office computer resulted in a potential healthcare data breach at Atique Orthodontics, P.A., according a recent press release.
Neither the statement nor the OCR data breach portal released how many individuals may have been affected by the security event.
The Texas-based orthodontics practice discovered that one of its office computers was accessed by an unauthorized party between February 29, 2016 and March 30, 2016. The computer was connected to a server that stored patient information.
The server contained PHI, including patient names, dates of birth, Social Security numbers, home addresses, phone numbers, credit card information, and insurance information.
Upon discovery of the security incident, Atique Orthodontics shut down remote access to its office computers.
Atique Orthodontics stated that it will increase technical precautions to further secure and protect patient information.
The practice has mailed notification letters to affected individuals. Due to the sensitive nature of the information at risk, Atique Orthodontics has offered affected patients complimentary identity theft protection services, credit monitoring for a year, and a $1 million insurance policy.