- Alaska-based Southcentral Foundation recently announced on its website that it experienced a data breach regarding PHI on October 18, 2016. Employee email accounts were potentially accessed during a cyberattack.
The incident involved the potentially exposed information of 14,719 patients, according to the OCR data breaching reporting tool.
Southcentral reviewed the information in the email accounts and determined the exposed information may have included Medicaid ID numbers, Social Security numbers, and birth certificates.
In response, Southcentral has issued a notice to all patients whose PHI may be at risk of exposure, providing potentially affected patients with access to credit monitoring and identity theft protection services.
Southcentral’s website advises that concerned consumers read a provided list outlining steps to protect against identity theft and fraud, which includes contact information of the major credit reporting agencies and government resources where affected individuals can obtain more information about fraud alerts and credit freezes.
Brandywine Pediatrics reports a virus potentially exposing PHI in DE
On December 23, 2016, Brandywine Pediatrics, P.A in Delaware became aware of a data breach resulting in potential PHI exposure. While health information may have been exposed, Brandywine reports that to date there is no evidence any information has actually been accessed or misused as a result of the incident.
The incident occurred on October 25, 2016 when Brandywine discovered a file server was compromised and locked due to a virus.
The organization was able to immediately recover its files from backup tapes and began an investigation into the incident at once. Brandywine enlisted the help of a forensic computer expert to determine an individual may have gained unauthorized access to certain PHI including full name, address, and health insurance and medical information.
Brandywine was adamant in its report that there is no chance any of its patients’ Social Security numbers or payment card information has been exposed or stolen.
In response, the organization has notified potentially exposed patients on how to take steps to protect themselves in the future. Brandywine has since improved the security of its systems and reviewed its policies and procedures.
Brandywine reiterated that it considers the protection of patient information a top priority.
It was not specified in the Brandywine statement how many individuals were potentially affected.
Ransomware attack in AZ potentially affects up to 500 patients
Arizona-based Desert Care Family & Sports Medicine recently suffered a ransomware attack in which up to 500 patient records may have been affected. Desert Care has since notified local police and the FBI of the cyberattack and has taken its server to IT specialists in order to break the ransomware encryption and retrieve affected patient data.
Presently, IT Specialists have been unable to access the encrypted data and all hacked patient records remain unavailable.
Desert Care reported it does not know whether personal information has been exposed, but judging by the nature of ransomware’s intended function, the facility doubts any information has been disclosed or copied onto a separate system.
Desert Care issued a letter to affected patients to alert them of the incident, notifying patients that full name, dates of birth, home addresses, account numbers, and disability codes are among the information potentially exposed.
The organization advised that patients make an effort to protect themselves accordingly.
Specifically, Desert Care recommends concerned consumers register a fraud alert with one of three credit bureaus, closely monitor all account statements, and contact the Consumer Protection Division of the Arizona Attorney’s General Office or the Federal Trade Commission’s Fraud Victim Assistance Department for assistance.
A forensic investigation into the incident is already underway, and Desert Care attests to updating its technology and policies to prevent future attacks.