- An unauthorized third party gained access to St. Peter’s Surgery & Endoscopy Center (the Center) servers on January 8, 2018, according to an online statement. The potential data breach was discovered on the same day of the infiltration, the Center said.
The incident “did not involve or affect any staff, servers or information at St. Peter’s Hospital, Albany Gastroenterology Consultants, or any other affiliated surgeons or healthcare organizations.”
The Center reported to OCR that 134,512 individuals may have been impacted in the server breach.
There is no indication that patient data was accessed or used, but the Center added that such a possibility could not be completely eliminated. Immediate steps were taken to secure the information and an investigation was opened, the organization said.
The server may have included patients’ names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and, in some instances, Medicare information. Banking and credit card information were not involved, and Social Security numbers were not involved for patients without Medicare.
“We deeply regret any concern or inconvenience this may cause our patients,” the Center stated. “To help prevent the possibility of future computer security incidents, we are implementing even more stringent information security standards, increasing staff training, and investigating the purchase of additional and more elaborate anti-fraud and virus protection software.”
Data breach notification letters were sent out to potentially affected individuals on February 28, 2018, and patients were also urged to check their statements received from their health insurer.
Medicare patients will also be offered one year of free credit monitoring, the Center said.
Currently, this incident is the second largest one reported to OCR for 2018. Oklahoma State University Center for Health Sciences (OSUCHS) experienced a potential Medicaid data breach that involved the information of 279,865 individuals.
OSUCHS learned on November 7, 2017 that there had been unauthorized computer network access by a third party. The organization said it removed folders containing Medicaid data from the network on November 8.
Medicaid numbers, healthcare provider names, dates of service, and limited treatment information may have been in the server folders, along with one Social Security number. Medical records were not on the server, OSUCHS added.
“We have no conclusive indication of any inappropriate use of patient information,” OSUCHS stated. “However, out an abundance of caution, we began mailing letters to affected patients on January 5, 2018.”