- On December 15th, Oak Cliff Orthopaedic Associates announced a theft involving records containing personal PHI from the years 2006 to 2007.
According to a report from Oak Cliff, the Lewisville Police Department has since located and returned the stolen records.
The data potentially accessed included patients’ names, addresses, and office medical records. Oak Cliff also noted “in some cases, Social Security number, credit card number, or banking information was involved.”
Oak Cliff noticed the records were missing from an off-site storage unit on October 17th, 2016. The police department later located and recovered the records in a hotel room along with other stolen materials. The organization has since removed all items out of this storage unit, notified banks of potential fraudulent activity, and begun an investigation into the incident.
A hired legal team determined the extent of the unauthorized access, concluding that there is no evidence data has been misused at this time.
Oak Cliff sent letters describing the incident and offering one year of free identity protection and restoration services to those possibly affected by the event. The letters also included suggestions about additional ways individuals can safeguard their information in the future.
According to the OCR data breach reporting tool, 1,057 individuals may have been affected by the incident.
Email Data breach on L.A County Potentially Affects Thousands
Thousands of individuals may have been impacted by a phishing email attack on the County of Los Angeles on May 13, 2016. County officials learned of the breach the next day and immediately employed strict security measures.
Approximately 100 County employees unknowingly provided their usernames and passwords to a hacker through an email disguised to look credible. Some of the employees’ accounts contained confidential client/patient information.
The District Attorney Office’s Cyber Investigation Response has issued an arrest warrant for Austin Kelvin Onaghinor of Nigeria, who was charged with nine counts, including unauthorized computer access and identity theft.
The County conducted a forensic examination and released a statement that “756,00 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services, and Public Works.”
However, according to a press release from the County of Los Angeles, “there is no evidence that confidential information from any members of the public has been released because of the breach.”
Ransomware Attack Impacts Black Hawk College Employees
On November 4, 2016 Summit Reinsurance Services reported a potential cybersecurity incident that may affect thousands of current and former Black Hawk College employees.
Summit is the reinsurance carrier for the college’s former third-party health insurance administrator, Health Alliance.
Summit informed Black Hawk that ransomware had infected a server containing information including names, Social Security numbers, health insurance information, and claim-focused medical records of current and former employees and their dependents.
A third-party forensic investigator determined the incident occurred on March 12.
According to a report in the Star Courier, “Summit has no evidence that any personal information has been used inappropriately.”
The investigation is ongoing. Potentially impacted individuals are being notified in an advisory letter that will include recommendations to improve security and free access to one year of credit monitoring. A call center will be available to individuals seeking assistance.
Earlier this month, Summit Reinsurance was also tied to a potential data breach at Louisiana Health Cooperative, Inc. in Rehabilitation (LAHC). Similarly, a ransomware infection affected a server holding information including Social Security numbers and health insurance information.
UPDATE: Data Security Incident Affects 400K in Washington
Community Health Plan of Washington (CHPW) recently confirmed on its website that one of its servers had been compromised, potentially affecting 400,000 members.
CHPW said it became aware of the potential data breach on November 7, 2016, and that it immediately disabled the compromised server and started an investigation.
Potentially accessed information includes names, addresses, dates of birth, Social Security numbers, and claim codes.
“Our highest priority is the protection of our members’ confidential information and their trust,” CHPW CEO Leanne Berge said in a statement. “As a community health center-focused, not-for-profit we have the duty to provide transparency in our work and are committed to providing all the resources that our members need to understand this incident and protect themselves.”
CHPW began to notify affected members on December 21, 2016. Those individuals will also be offered complimentary credit and identity monitoring services for 12 months.
“CHPW is also working with its technology services provider to increase the security of all CHPW member information and to prevent similar incidents in the future,” the health plan statement explained.