- California-based child welfare agency Hillsides notified certain individuals that they may have been the victims of a PHI data breach after an employee sent internal files to a personal email address.
Hillsides reported that it became aware of the incident on December 8, 2015, and that the employee sent unencrypted files to his own personal email address on five separate occasions between October 10, 2014 and October 19, 2015.
Information included names, Social Security numbers, home address and phone numbers for 468 members of Hillsides staff. Additionally, the files included names, dates of birth, gender, medical identification numbers, therapist names, and rehabilitative therapists' names for 502 Hillsides clients.
“We sincerely apologize for the inconvenience and concern these incidents may have caused to our staff and clients, whose privacy is very important to us,“ Hillsides CEO Joseph M. Costa said in a statement. “We will continue to investigate the incident, to reduce harm to potentially affected individuals, and to protect against future similar occurrences.”
Hillsides added that the employee was terminated from his position upon discovery of the incident, as it was a violation of company policy.
There has been no evidence that the information was used inappropriately, but the agency explained that it has been unable to recover the files from the email account or verify if the files have been deleted.
Hillsides said it is taking steps to ensure that this type of situation does not happen again.
“The agency is working with its legal counsel to ensure all appropriate steps and notifications are being followed,” the agency said in its statement. “They are also implementing an employee re-training program to reduce the risk of future occurrences and improve its internal security awareness procedures.”
There were several other data security incidents recently at healthcare organizations, including cases of unauthorized access and device theft.
Security breach affects 14K patients in New York
Over 14,000 patients were recently notified that some of their personal information may have been exposed after an incorrect attachment was sent out in a mass email.
The dermatology office of Dr. Mary Ruth Buchness, PC announced on December 11, 2015 that the security breach occurred on November 23, 2015. An email was sent to certain patients to have them take a survey. However, the attachment in the email included a spreadsheet with patient demographic information.
Spreadsheet data included names, Social Security numbers, dates of birth, gender, dates of last service and next appointment, telephone numbers, addresses, email addresses, marital status, head of household, employer/occupation and race/ethnicity.
“As soon as the error was discovered we notified our network administrator, who immediately shut down our email server in order to minimize the number of recipients who received the incorrect attachment,” Buchness said in her notification letter. “Nevertheless, although we have not yet determined the exact number of recipients, it appears that approximately one hundred thirty emails were sent.”
Buchness added that of the 130 emails sent, 60 were successfully delivered and received.
While the notification letter did not specify how many individuals were potentially affected, the OCR data breach reporting database listed the number at 14,910.
A privacy and security consultant has been hired to help prevent future data breaches, Buchness stated, and will also help “with implementing additional technical safeguards to prevent sending protected health information unintentionally through our e-mail system.”
Employees will also receive additional HIPAA training, and there is currently a ban on sending emails to multiple recipients until the necessary procedures have been implemented to prevent such an incident from recurring.
New Mexico Department of Health reports data breach
The New Mexico Department of Health recently announced that an employee’s laptop was stolen from the employee’s vehicle on October 4, 2015, potentially compromising patient PHI.
The vehicle was parked at St. Joseph on the Rio Grande Church, where several other burglaries took place that same day, according to a department statement.
Patient first and last names, dates of birth, facility unit, medications, and in some cases diagnosis, may have been exposed.
“The laptop and certain files were password protected,” the department explained. “The Department of Health has no evidence indicating that any individual’s protected health information has been accessed or utilized.”
Patients who may have been affected would have visited the New Mexico Behavioral Health Institute in Las Vegas, New Mexico between June of 1997 and September of 2013 or the Sequoyah Adolescent Treatment Center in Albuquerque between 2013 and 2015.
The OCR data breach reporting database lists 561 individuals as being affected by the incident.
Washington Hospital Healthcare reports potential data breach
Washington Hospital Healthcare System recently reported that it experienced a potential data breach at one of its facilities following unauthorized access on a computer.
Washington Township Health Care District (the District) learned on October 8, 2015 that an unauthorized individual may have accessed a computer associated with the Washington Community Health Resource Library. The device in question is used to maintain library identification cards, according to a Washington Hospital statement signed by Washington Hospital Healthcare System’s Chief of Compliance Kristin Ferguson, MSN, MHA, BS, RN CHC.
“Upon learning this, we immediately initiated a comprehensive internal review to determine what information may have been accessed,” Ferguson explains. “We also retained an outside computer forensic firm to assist in our investigation. That investigation is now complete.”
There was a database file on the computer containing individuals’ names, addresses, and driver’s license numbers. However, Social Security numbers and health information were not affected.
The affected computer was also not connected to the District’s network, and there is no reason to believe that the information was used inappropriately, according to the statement.
Even so, potentially affected individuals a complimentary, one-year membership to identify protection services.
“To help prevent something like this from happening in the future, we are taking additional steps to strengthen and enhance the security of information on our network, including conducting a comprehensive review of our information security policies and procedures,” the letter explained.