- Florida-based Orlando Orthopaedic Center reported to OCR on July 20 that 19,101 individuals were affected by lax vendor security, leading to a possible PHI breach.
The breach occurred at a transcription service vendor in December, according to a report by the Orlando Sentinel. A server used by the service was left unsecured because of a misconfigured software update that exposed PHI on the internet.
The PHI that may have been exposed included patient names, dates of birth, treatment, insurance information, and employer, as well as Social Security numbers for a limited number of patients. No credit or debit card, banking, or financial accounts were involved in the breach.
While the report did not name the vendor, medical transcription service Nuance experienced a breach in December affecting 45,000 individuals.
The clinic is conducting cyber awareness training for its workforce and regularly updates its system’s security and firewalls.
Pennsylvania DHS Compass System Exposes Data on 2,130 People
The Pennsylvania Department of Human Services (DHS) reported to OCR on July 16 that 2,130 individuals were affected by an unauthorized disclosure of information.
In a release, DHS said that it discovered on May 23 a system error in its Compass (Commonwealth of Pennsylvania Access to Social Services) system, which exposed sensitive information of people who were part of the same benefit household but who now belonged to a different case record.
The Compass system is an online platform used by people to apply for and manage social benefits and services, including children’s health insurance, disability services, and long-term care.
The information that might have been viewed included full name, date of birth, citizenship, and employment. However, Social Security numbers were not exposed.
DHS is offering free credit monitoring services to affected individuals.
Alaska-based FNSB Gets Caught Up in Golden Heart Data Breach
Alaska-based Fairbanks North Star Borough reported to OCR on July 19 that 6,346 individuals were affected by an IT incident.
The breach was related to the previously reported ransomware attack against medical billing company Golden Heart Administrative Professionals (GHAP) that exposed PHI on more than 44,000 individuals.
FNSB said in a statement that GHAP experienced the ransomware attack on April 14, informed FNSB about the attack on May 25, and provided more detailed information on June 18.
“According to GHAP, the forensic investigation determined that all information in the GHAP system was potentially compromised and subject to the unauthorized access and acquisition by an unknown third-party, including individuals' names, addresses, Social Security numbers, dates of birth, medical treatment and diagnosis codes and, in certain instances where payment was made by credit card, credit card information and other potentially sensitive information,” FNSB related.
FNSB noted that it stopped using GHAP as its ambulance billing service last year. It will work with its current billing service to ensure that it has “adequate administrative, technical and physical safeguards to protect personal information against similar future threats.”
Confluence Health Admits to Email Breach Exposing PHI
Confluence Health, which operates hospitals and clinics in central and northcentral Washington, reported July 27 an employee email breach that resulted in an unauthorized party possibly accessing patients’ PHI.
Confluence did not say how many patients were affected by the breach. Information that may have been exposed included patients’ names and treatment.
The health system said it discovered the attack on May 29 and determined that it had taken place on March 30 and May 28.
Confluence Health said it had multiple security solutions in place to prevent unauthorized account access, and staff had received security awareness training, yet the attacker was able to bypass those measures.
Update: Confluence reported to OCR that 33,821 individuals were affected by the breach.
Survey Discloses Emails of Vermont Health Connect Customers
A problem with an online survey led to the disclosure of email addresses for some Vermont Health Connect and Medicaid customers, according to a report by VT Digger.com.
In total, 127 people sent emails to other health insurance consumers amid confusion about an online survey issued July 20 through the Department of Vermont Health Access.
The survey included questions about residents’ experience with state programs like Vermont Health Connect, Medicaid, Reach Up, 3SquaresVT, and low-income heating assistance.
The department sent a link to the online survey in an email to around 37,000 people “using the same distribution list that we use to contact members about open enrollment deadlines or resources for selecting a (health) plan,” explained Sean Sheehan, the department’s deputy director of health access eligibility and enrollment.
Seven recipients, instead of clicking on the survey link, replied to the department’s email with questions. Because of an “erroneous” email setting, those replies went to everyone on the distribution list.
“Within two or three hours, we discovered the error, and we had the settings fixed,” Sheehan said.
Even after that fix, about 120 people replied to the original seven emails sent by survey recipients. By then, they could no longer reply to the entire distribution list.
The department said no other personal or health information was disclosed. Officials reported the incident to federal authorities, and the department’s privacy officer is working with those who were affected.