- Indiana-based Orleans Medical Clinic may have suffered a healthcare data breach after one of its computer servers was hacked.
On approximately April 17, 2016, Orleans Medical “became aware of suspicious activity” on one of its computer servers, the clinic said in a statement. Following an investigation, it was revealed that EHR data had been left unsecured on the server after the server had been upgraded.
It was also revealed that hackers had access to the information from April 5, 2016 to April 17, 2016. Orleans Medical received confirmation on July 21, 2016 of the individuals and information potentially affected by the incident.
Orleans Medical said that it immediately secured the server to prevent the same thing from happening again.
“While our investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual's information, it would have been possible for the hackers to access and obtain patient information about all of our current and former patients, including medical records and demographic information such as date of birth and social security number,” Orleans Medical stated.
Even though banking and credit card information were not affected, the clinic still urged patients to contact their bank or credit card company and make them aware of the situation.
The Orleans Medical statement did not disclose how many patients were potentially affected, but the OCR data breach reporting tool states that the information of 6,890 individuals was involved.
The patient portal was not affected and there was no time when information was unavailable to the provider to prevent patient care, the clinic added.
Patient notification letters have been sent out via mail, and potentially affected patients will also be offered complimentary identity theft services for one year.
Patient files made available online at Illinois facility
An Illinois hospital and physician group is notifying patients of a potential data security incident after certain information was made viewable online due to a vendor error.
The Carle Foundation explained in a statement that it learned on June 14, 2016 that a vendor had placed files containing patient information on a Carle file server on February 17, 2016. This potentially made the files viewable to those who had access to the server via the internet.
Social Security numbers and financial information were not included. However, the exposed data may have included patients’ names, medical record numbers, dates of service, reasons for visit, names of physicians, Carle account numbers, and diagnosis and treatment codes.
“We deeply regret any inconvenience this may cause our patients,” Carle said. “To help prevent this from happening in the future, we are working with all of our vendors to re-enforce education regarding secure transfer of patient information.”
Carle added that only “a small number” of patients were affected, and that it was “limited to only those patients who were discharged from Carle Hospital in the timeframe of November 1, 2015 through January 31, 2016.”
The OCR data breach reporting tool states that 1,185 individuals were potentially affected.
Notification letters were sent out starting on August 3, 2016. If individuals who believe they might have had their data exposed and did not receive a letter by August 17, they can reach out to Carle.
Unauthorized access at SCAN Health Plan
A non-profit health plan in California is notifying members of a potential healthcare data breach after it discovered that contact sheets had been accessed and possibly viewed for unauthorized purposes.
SCAN Health Plan explained in a statement that it became aware of the incident on June 27, 2016, but that the unauthorized accessed happened between March and June of 2016.
“While there is no indication that the information in this system has been used fraudulently, we needed to let you know that your information was in this system,” the health plan said.
Potentially exposed information included names, addresses, and phone numbers. Some individuals may also have had their date of birth and limited health notes exposed. The notes included data such as doctor names, health conditions, or medication names. A “small number of individuals” may also have had their Social Security number exposed.
It was not disclosed how many members may have been affected by the incident.
SCAN added that it has also arranged for individuals to receive one year of complimentary identity protection services.
“We take the privacy of the personal information in our care very seriously and are working to ensure this doesn’t happen again,” SCAN stated. “We are very sorry for any inconvenience and concern this may cause you.”