- Nuance, a Burlington, Mass.-based provider of speech recognition software, said in a May 10 SEC filing that a healthcare data breach occurred when an unauthorized third party gained access to 45,000 patient records hosted on one of its medical transcription platforms.
The company said it discovered the breach in December 2017. It notified those affected and migrated them to its eScription transcription platforms. Nuance also notified law enforcement, who identified the third party and recovered the records.
Close to 900 patients of the San Francisco Health Network were affected by the Nuance breach, the San Francisco Department of Public Health announced May 11.The department said that Nuance delayed notification to those affected at the request of the FBI and Department of Justice (DoJ).
Information that was accessed included name, date of birth, medical record number, patient number, and information dictated by the provider such as patient condition, assessment, diagnosis, treatment, care plan, and date of service.
The federal investigation determined that a former Nuance employee had hacked into the company’s servers and accessed the patient information. The DoJ found that the information was not used or sold for any purpose and that all the data had been recovered.
Last year, Nuance said it suffered a NotPetya ransomware attack that affected its medical transcription service and imaging division systems and cost it $92 million in lost revenue.
CPRF Says PHI on 8,300 Patients Was Exposed for 10 Months
The Cerebral Palsy Research Foundation of Kansas (CPRF) said May 9 that it discovered on March 10 that a patient database was exposed for ten months.
The information exposed included personally identifiable information and protected health information (PHI) regarding the patients’ disability. No financial information or information about donors was exposed.
CPRF reported to OCR that 8,300 patients were affected by the breach.
After an investigation, the foundation determined that a demographic database containing client information from 2001 to 2010 was not identified during a recent change in servers at CPRF, which temporarily exposed the information before it was secured.
CPRF said it is offering free credit monitoring services for one year to those affected by the breach.
15,552 USACS Patients Affected by Employee Email Breach
Ohio-based USACS Management Group announced May 8 that an unauthorized party may have accessed an employee’s email account on March 9. The healthcare management consultant informed OCR that 15,552 individuals were affected by the breach.
Information that may have been compromised included patients’ names, addresses, dates of service, USACS account numbers, medical and health insurance information, diagnostic and treatment information, and, in some cases, Social Security numbers.
USACS said it is offering free credit monitoring and identity protection services for one year to those affected by the breach.
Eye Care Surgery Center Admits to Laptop Theft with PHI on 2,553 Patients
Louisiana-based Eye Care Surgery Center (ECSC) said April 27 that a laptop computer containing patient PHI was stolen. The center informed OCR that 2,553 individuals were affected by the breach.
PHI that may have been compromised included names, dates of birth, and diagnosis information. The company said Social Security numbers, financial transaction, and payment information were not involved in the breach.
ECSC said that, because of the breach, it had deployed an enhanced multicamera security system inside and outside the building and encryption on most portable electronic devices and desktop computers used for patient care.
The center did not indicate that it is offering free credit monitoring services to affected patients.
Arkansas Health Group Physician put PHI on Cloud Filing-Sharing Website
Arkansas Health Group (AHG), an affiliate of Baptist Health, reported May 11 that one of its physicians stored PHI on a cloud-based file-sharing website.
The information that was exposed on the website included patient names, dates of birth, medical record numbers, visit dates, visit type, and diagnoses.
Baptist Health reported to OCR that 3,453 individuals were affected by the breach.
AHG said that it discovered the breach on March 23. It said that the website was password protected and used encryption, but the security did not meet its “more stringent security requirements.” AHG stressed that Social Security numbers, addresses, and insurance information were not disclosed.
The group said that it had no evidence that the PHI was viewed or misused by an unauthorized party. It did not say whether it was offering free credit monitoring services to those affected by the breach.