30K Patients Impacted in Ohio Business Associate Breach from 2019
Several employee email accounts of Ohio business associate MNS were hacked in 2019; a phishing campaign and two insider incidents complete this week’s breach roundup.
By - Ohio-based Management and Network Services (MNS) recently began notifying 30,132 patients that their data was potentially compromised after several employee email accounts were hacked for several months between April and July 2019.
MNS is a business associate that gives administrative support to post-acute healthcare providers and “in connection with providing these services, MNS may receive information belonging to providers’ patients or individuals who were referred by, but did not receive services from, a provider.”
On August 21, 2019, MNS first discovered an unauthorized user gained access to five employee email accounts at various times. Officials said they later determined the accounts contained protected health information from some MNS clients.
The investigation determined the impacted data varied by patient and could contain names, dates of birth, Social Security numbers, treatments, medications, diagnoses and codes, State identification numbers, financial account details, insurance information, and dates of services.
Driver’s licenses, financial account information, or state identification were potentially compromised for a limited number of patients.
MNS first began notifying its clients of the breach on March 5, more than 6 months after the incident was first discovered. It’s important to note that under HIPAA, all breaches impacted more than 500 patients must be reported within 60 days of discovery.
The business associate has since strengthened its password policies and implemented the use of multi-factor authentication for all employee accounts.
Mille Lacs Health System Reports 2019 Phishing Attack
About 10,000 Mille Lacs Health System patients are being notified that their data was potentially breached after several employees fell victim to a targeted phishing campaign in 2019.
First discovered in November, a hacker sent phishing emails to certain employees in an attempt to gain access to their login credentials. Officials said they launched an investigation, which determined the threat actor successfully leveraged employee credentials to access to multiple email accounts for five months from August 26 until January 1, 2020.
The investigation confirmed the accounts contained patient health information, which the hacker potentially accessed. The breach was contained to the impacted employee accounts.
The compromised data varies by individual but could include names, contact details, dates of birth, provider names, treatments, clinical data, procedure type, and Social Security numbers, for some patients.
Mille Lacs reset all user account credentials and implemented additional security measures to prevent a recurrence. The incident has been reported law enforcement, and officials said they are continuing to cooperate with the investigation.
PsyGenics Reports Data Breach After Email Incident
PsyGenics in Michigan is notifying an undisclosed number of patients that their data was potentially breached after employee email incident.
On March 25, officials said they discovered an employee forwarded PsyGenics information with an attached Excel spreadsheet to their personal email account without authorization. The spreadsheet contained patient information that included names, diagnosis codes, appointment times, and provider names. Treatment notes and other clinical information were not included.
The notification did not include details into remediation efforts. But the security incident has been reported to federal regulators.
Insider-related breaches are typically the leading cause of healthcare data breaches. Insider breach remediation costs the healthcare and pharmaceutical sectors about $10.81 million each year.
Geisinger Wyoming Valley Medical Center Reports Insider Wrongdoing
More than 800 patients are being notified that an employee accessed their patient information without authorization over the course of three years between July 2017 and March 2020.
Geisinger’s Privacy Office was alerted to the unauthorized access on March 20 and immediately launched an investigation. Officials said they determined the employee accessed medical records as part of their daily job responsibilities. However, the employee also access hundreds of patient records without a business need to do so.
According to officials, it does not appear the access was spurred by malicious intent. But the employee viewed patient names, dates of birth, Social Security numbers, medications, dates of service, contact information, medical conditions, dates of service, visit notes, results, and appointment details.
All patients will receive a year of free identity theft protection. As a result of the investigation, the employee in question is no longer part of Geisinger.
“Geisinger is committed to protecting the privacy of our patients and members so we are actively exploring additional safeguards to protect our patients from a similar incident in the future,” Geisinger Assistant Privacy Officer, Deb Beaver, said in a statement.
