- OptumHealth New Mexico reported on November 17, 2016 that it experienced a privacy incident affecting approximately 2,000 individuals when an unencrypted flash drive was lost.
OptumHealth said that it was notified on September 26, 2016 that a vendor’s unencrypted flash drive had been lost in the mail on September 16, 2016.
The flash drive contained information on some individuals enrolled in a plan that OptumHealth administers. This data included individuals’ name and a full or partial date of birth, telephone number, health identification number, address, provider name, diagnosis, or other health information. Financial information was not involved, but a limited number of individuals’ full or partial Social Security numbers were on the flash drive.
“Upon discovery, we took prompt action to investigate the matter,” OptumHealth said in its statement. “The U.S. Postal Service was immediately notified to assist in locating the flash drive, and we are working closely with them as they further investigate the matter. We have implemented new measures to help prevent this from occurring in the future, including updating our processes related to vendors in efforts to prevent the occurrence of similar incidents.”
Potentially affected individuals were sent a notification letter on November 17, 2016, according to OptumHealth. However, there was a small subset of individuals who could not be notified via mail.
One year of complimentary identity theft protection services will be offered to affected individuals. While OptumHealth maintained that “the information potentially accessed was limited,” it still encouraged individuals to enroll in the free services.
The OCR data breach reporting tool states that 2,006 individuals were affected by the incident.
Vendor breach affects Stony Brook facility
A previously reported vendor breach has potentially affected another healthcare provider.
Stony Brook Internists, University Faculty Practice Corporation (UFPC) announced on its website that it had been working with Ambucor Health Solutions (Ambucor) for cardiac care. A former Ambucor employee reportedly downloaded certain Stony Brook Internists, UFPC patient information to thumb drives.
The individual then kept those drives on March 17, 2016 shortly before his Ambucor employment ended.
“The former employee is currently incarcerated on unrelated charges,” Stony Brook explained. “Ambucor has been working with federal law enforcement concerning this incident and has been cooperating fully in the ongoing investigation. As a result of those ongoing efforts, federal law enforcement authorities recently provided Ambucor with two thumb drives that this former employee turned over to them after his departure from Ambucor.”
Stony Brook said it only became aware that some of its patients may have had their information affected after Ambucor completed an investigation in September 2016.
Potentially compromised information included patients’ first and last name, phone number, diagnosis, medications, date of birth, race, home address, testing data (i.e., type of test, test results, date of test and whether testing was monthly or not), patient identification number, medical device information (i.e., manufacturer, identification number, and model/serial numbers), Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s), and the name and address of the practice where the patient was seen.
Ambucor has no indication that the information has been misused in any way, but Stony Brook said that Ambucor is still offering affected individuals one year of complimentary identity protection services. OCR reports that 1,878 individuals with Stony Brook were affected.
The Ambucor breach has affected at least two other healthcare providers: Wentworth-Douglass Hospital (WDH) and Greenville Health System (GHS) have both made announcements stating they had patient information potentially exposed in the incident.
Retirement community reports ransomware attack
Arizona-based retirement community Sagewood announced on November 29, 2016 that it had been the victim of a ransomware attack. Approximately 800 current and former residents may have had some of their personal information exposed in the incident.
Sagewood said that it discovered the ransomware attack on September 29, 2016.
Resident and health insurance information involved may have included names, addresses, dates of birth, phone numbers, Social Security numbers, and possibly Medicare numbers or national identification numbers.
“Sagewood worked quickly to block the cyber attackers and one hour after the discovery was made, Sagewood was able to confirm total containment of the malicious ransomware,” the statement read. “Based on the nature of the attack, the short time involved and the fact that they were never requested to pay money in response to the ransomware, Sagewood does not believe that a “hacker” was looking to compromise or misuse identities or personal information.”
Even so, Sagewood encouraged residents to “take preventive measures to help prevent and detect any unauthorized use of personal information,” such as placing fraud alerts on their credit cards.
Nurse inappropriately accesses patient PHI at CA facility
Glendale Adventist Medical Center reportedly fired one of its nurses after the employee reportedly accessed patient PHI without authorization.
Out of the 528 patient records accessed, 88 were from Glendale Adventist’s sister hospital, White Memorial Medical Center, according to a report in the Los Angeles Times.
Certain patient demographics such as name, date of birth, address, diagnosis and Social Security number, may have been included in the accessed data.
A routine security review in June led to the discovery of the PHI breach. The employee had also been working as a per-diem nurse.
“Our patients are our top priority and privacy is a critical part of our commitment to patient care,” hospital spokeswoman Alicia Gonzalez told the Times. “We sincerely apologize for any impact this incident may have on patients affected.”