- Nearly 80,000 patients were potentially impacted by a recent data breach at Georgia-based Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic.
On January 3, 2017, EHC became aware of an incident of unauthorized data access involving a third party database called Waits & Delays. The healthcare organization explained in an online statement it had used the database to update patients on appointment information.
The database—which contained appointment information including patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names—was deleted by an unauthorized individual who then requested that EHC pay the individual to have it restored.
Potentially impacted patients include any individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016.
The OCR data breach reporting tool states that 79,930 individuals were affected by the incident.
EHC maintained that no patient Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.
EHC discovered another instance of unauthorized access by an independent security research center. That incident had occurred in an effort to find gaps in application security to alert companies of areas needing improvement.
After learning of the data breach, EHC launched an internal investigation and notified law enforcement. The health organization is presently in the process of informing potentially impacted patients and reassessing their security measures to make any necessary changes to internal and external systems containing patient information.
Currently, EHC said it has no indication any patient information has been misused in any way.
Ransomware attack impacts 17K
Minnesota-based Family Service Rochester (FSR), a nonprofit organization providing support for health and wellness in surrounding communities, recently suffered a ransomware attack potentially impacting the information of nearly 17,000 patients.
FSR explained in an online statement that it discovered on January 26, 2017 that a “portion of its files had been encrypted by ransomware.” FSR promptly initiated a law enforcement investigation into the incident and discovered there had been unauthorized access from December 26, 2016 to January 25, 2017.
The OCR data breach tool reports that 17,037 individuals were affected by the ransomware attack.
In some cases, potentially exposed patient information included patient addresses, Social Security numbers, insurance identification numbers, and medical information.
FSR has notified potentially affected patients and is offering them a year of free identity protection services. The healthcare organization said it is taking steps to ensure the security of all of its systems in the future.
Vanderbilt University discovers unauthorized employee access of medical records
Vanderbilt University Medical Center (VUMC) recently became aware of unauthorized employee access to patient medical records.
A VUMC spokesperson sent an email with a statement to HealthITSecurity.com that explained that employees working as patient transporters were accessing patients’ electronic medical records in an unauthorized manner.
VUMC performed an audit of the electronic medical records accessed by the employees between May 2015 and December 2016, the statement read. Two employees viewed adult and pediatric patient information, including patients’ names, dates of birth, and medical record numbers for internal use.
One employee also gained access to patient Social Security numbers in a limited number of instances.
Currently, VUMC has no indication any patient information was downloaded, transferred, or misused in any way.
Patients have been notified of the incident through advisory letters sent by mail.
“We are committed to providing our patients the highest quality care and protecting the confidentiality of their personal information. To our knowledge, the information the employees viewed was not printed, forwarded or downloaded. So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways,” said VUMC Chief Communications Officer John Howser. “While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.”
VUMC has offered services to any patients concerned about fraud or identity theft.
A report from The Tennessean stated that 3,247 medical records were accessed.
WVU Medicine employee prosecuted for identity fraud
On January 17, 2017, West Virginia University (WVU) Medicine University Healthcare became aware of an FBI law enforcement investigation into the unauthorized access, use, and disclosure of PHI for over 7,000 patients.
University Healthcare said in an online statement that it immediately launched an investigation into the incident and found confirmed evidence an employee had committed identity theft against 113 patients since March 1, 2016. Police found copies of driver’s licenses, ID cards, insurance cards, and Social Security cards in the employee’s possession.
The employee has since been terminated for her conduct and will be criminally prosecuted. University Healthcare has since notified all 113 confirmed victims of the incident and is working to notify all 7,445 patients potentially impacted during the breach.
“University Healthcare understands the importance of safeguarding our patients’ personal information and takes that responsibility very seriously,” University Healthcare President and CEO Anthony P. Zelenka said. “We regret that this incident has occurred. We are committed to work with our patients whose personal information has or may have been compromised, and help them work through the process.”
NC health department exposes PHI
The North Carolina Department of Health and Human Services (DHHS) potentially exposed the PHI of 12,731 Medicaid patients to adult care homes via unencrypted email, according to a News & Observer report.
On November 20, 2016, a state DHHS employee reportedly sent an unencrypted email containing patient names, Medicaid numbers, and addresses. DHHS has since swapped Medicaid numbers for identification numbers to avoid future incidents.
Currently, DHHS said there is no evidence the information has been used improperly in any way.