Alabama Women’s Health Center Suffers Data Breach, 34K Impacted

September 09, 2022 - Birmingham, Alabama-based Henderson & Walton Women’s Center, P.C. (HWWC) disclosed a data breach that impacted more than 34,000 individuals. It is unclear when the breach began, but HWWC said that an employee email account was hacked, prompting an investigation.

“All HWWC email sent internally is encrypted,” HWWC explained. “The hackers did not have access to HWWC’s server or other data storage facilities. Nevertheless, because the hackers gained access to the email account, it was necessary to investigate whether they were able to view emails and attachments contained in it.”

By late June, the practice determined that some personal information was contained in the account, although it was unclear whether the information was viewed. The information contained in the account included birth dates, Social Security numbers, medical information, driver’s license numbers, and health insurance information.

“In response to this incident, HWWC has implemented additional security measures to protect its system, including implementing additional security and privacy policies after the incident,” the notice explained.

“In particular, along with additional security for its encrypted email system, HWWC has implemented a new system for emails containing personal information, automatically deleting such information after three (3) days. HWWC is also working toward establishing a system to eliminate the sharing of any personal information via email at all.”

HWWC also provided impacted individuals with one year of credit monitoring.

2 Radiology Practices Disclose Breaches

Arizona-based Radiology Ltd and Texas-based Gateway Diagnostic Imaging disclosed breaches that occurred in December 2021. The breaches have not yet been posted on the Office for Civil Rights (OCR) data breach portal, so it is unclear how many individuals were impacted.

Both notices described the same series of events, beginning on December 24, when the practices discovered suspicious activity. Further investigation determined that an unauthorized party had gained access to some patient information between December 17 and December 24.

Although there was no evidence of fraud or misuse of information, some personal data may have been accessed, including names, birth dates, some Social Security numbers, diagnoses, dates of service, health insurance information, birth dates, addresses, medical record numbers, physician names, and treatment related to radiology services.

“We recommend that patients review the statements they receive from their health insurer. If you see charges for services you did not receive, please call the insurer immediately,” the notice stated.

“We continue to implement enhancements to information security, systems, and monitoring capabilities and are committed to maintaining the confidentiality and security of patients’ information.”