- SSM Health St. Mary’s Hospital in Jefferson City, Missouri, reported to OCR on July 30 that an improper disposal of paper medical records may have resulted in a data breach affecting 301,000 individuals.
In a public notice, St. Mary’s Hospital said that it found out June 1, 2018, that documents and other materials containing patient information were discovered in isolated locations at the former hospital campus, which is being demolished.
After an investigation, St. Mary’s Hospital confirmed that administrative and operations support records containing patient names, medical record numbers, demographic, financial, and clinical data were found at the old facility.
The hospital also confirmed that all patient medical records were “safely and securely” transferred to the new facility on November 16, 2014.
St. Mary’s has retained a document service to assist in cataloging the recovered documents.
The parent company, SSM Health, does not believe that the breach represents a significant risk to patients.
“We are taking immediate steps to resolve this situation and prevent something similar from ever happening again,” said Phil Gustafson, Interim Regional President of Operations at SSM Health of Mid-Missouri.
Theft of Ambercare Laptop Puts Hospice Patient PHI at Risk
New Mexico-based Ambercare Corporation reported to OCR on July 27 that the theft of a laptop exposed PHI on 2,284 hospice care patients.
In a public notice, Ambercare said that on May 30 it received notification that an employee laptop was missing. The laptop, which was password protected, contained information on hospice clients, including client names, dates of birth, addresses, diagnostic/clinical information, and Social Security numbers.
Once it received notification, Ambercare began an investigation and filed a police report. It stressed that there was no evidence any information on the laptop has been accessed or disclosed.
Just in case, it is offering free credit monitoring services for one year to those affected by the breach.
“To help prevent a recurrence, Ambercare is working diligently to implement additional technical controls on all Ambercare devices and are retraining all employees about physical security,” the provider said.
Southwestern Eye Center's Vendor Caused Refund Check Mistake
Arizona-based Southwestern Eye Center reported to OCR on August 1 that an unauthorized disclosure involving paper records may have exposed personal information on 667 individuals.
In a public notice, Southwestern Eye Center said that it discovered on April 17 that refund checks were made out to the wrong people as payee. An administrative processing gaff at one of its vendors caused the error. The provider asked the recipients of the incorrect checks to shred or destroy them in some other way.
Apart from having the wrong name on them, the checks did not expose other personal, health, financial, or billing information, the center said.
Southwestern Eye Center said it had “no reason to believe that individuals are at risk of identity theft or that they should take any particular measures to protect themselves from harm as a result of this incident.”
“We have implemented measures to prevent this type of incident from occurring again, including providing training and additional quality control in our mailing processes and oversight over vendors,” it added.
SF’s Aging Institute Admits to Email Breach Affecting 3,907 People
San Francisco’s Institute on Aging reported to OCR on July 20 that 3,907 individuals were affected by an email hacking breach.
On May 28, the institute discovered that an unauthorized individual may have accessed email accounts of employees, according to a letter sent to the California Attorney General’s Office by its law firm.
The information that may have been compromised includes client and employee names, addresses, email addresses, Social Security numbers, dates of birth, financial records, diagnosis, treatment, and medical payment data.
The institute launched an investigation led by a team of data security response professionals and notified the FBI. It took additional steps to secure its systems and client and employee information to prevent similar incidents in the future.
The institute is offering free credit and identity monitoring services for one year to those affected by the data breach.