- CHI Franciscan Health Highline Medical Center (Highline) is notifying certain patients that some of their information may have been exposed due to a vendor error.
R-C Healthcare Management (R-C Healthcare) previously worked with Highline before the medical center was acquired by CHI in 2014. R-C Healthcare alerted Highline on July 22, 2016 that files with patient information had been inadvertently been made accessible online from April 21, 2016 to June 13, 2016.
The files were secured as of June 13, Highline said in an online statement. The files may have contained patient names, dates of service, health insurance information and Social Security numbers.
Only patients whose data was involved in account reporting functions from 1993 to 1994 and then from 2008 to 2013 were potentially affected.
“We take our responsibility to protect patient privacy very seriously and have taken immediate responsive action,” Highline explained. “We work to continually improve our policies, processes and educational offerings to ensure our patients receive the benefit of proven information security and confidentiality practices.”
While the medical center has no knowledge of the data being “accessed, viewed, acquired or otherwise compromised by any unauthorized third party,” it is still offering free credit monitoring services to those who were possibly affected.
The OCR data breach reporting tool states that 18,399 individuals had their information involved in the incident.
Just last month, Bon Secours Health System, Inc. in South Carolina reported that some of its patients may have had their information exposed in the same manner due to R-C Healthcare.
In that case, the data of 655,000 patients were possibly exposed when R-C Healthcare attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.
“We deeply regret any concern this may cause our patients,” Bon Secours said. “To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained.”
Email error affects Planned Parenthood location
Planned Parenthood of Greater Washington and Northern Idaho reported that it experienced a data security incident on June 28, 2016.
Emails notifying individuals of an online portal were sent to the wrong addresses, Planned Parenthood explained in a statement. Individuals would have received another person’s email, which would have contained the second individual’s first and last name. No other personal or health information was involved.
“Privacy is a top priority for us, and we regret any confusion or concern this error has caused,” the statement reads. “We are reinforcing existing privacy policies and technological protocols internally and with our partners, and are evaluating additional safeguards to prevent any similar incidents from occurring in the future.”
Planned Parenthood added that the portal was immediately shut down once the error was realized and that there is no evidence indicating that any of the data has been misused.
OCR lists 10,700 as potentially being affected by this incident.
Medical College of Wisconsin employee email accessed
The Medical College of Wisconsin recently started notifying patients that some of their information may have been involved in a security incident due to an unauthorized party accessing an employee’s email.
The college noticed on July 5, 2016 that there was unusual activity with the employee’s email account and then retained a forensic firm to investigate. The firm determined that the account had been accessed from July 2 to July 4.
Approximately 3,200 individuals may have had their full names, dates of birth, home addresses, medical record numbers, and codes or notes related to diagnosis or treatment provided exposed, according to a Wauwatosa Now report. Furthermore, two patients had their Social Security numbers included. However, health insurance, credit card, banking or other financial information were not in the email account.
While there is no evidence that the information was actually acquired or viewed, the college is providing credit monitoring to the individuals whose Social Security numbers were involved.