- North Ottowa Medical Group has identified a hacking incident at Bizmatics, an EHR vendor, as the source of a potential healthcare data breach, according to a press release.
The Michigan-based medical group was notified by Bizmatics that servers containing patient information were accessed by an unauthorized user. Although the vendor could not confirm if North Ottowa Medical Group’s patient files were involved in the incident.
About 22,000 individuals were affected by the healthcare data security event, reported the Office of Civil Rights on their website.
However, the possible PHI breach only affected patients at the medical group’s employed physician practices, including the internal medicine, family practice, and women’s health offices.
Patient information that may have been disclosed included names, addresses, health visit information, treatments, health insurance information, and Social Security numbers. The incident may have also exposed the last four digits of a credit card number for some patients.
The medical center explained that an independent cyber forensics firm, hired by Bizmatics, is working with the vendor regarding the incident and law enforcement officials also conducted a criminal investigation.
“These investigations found that there was no reason to believe patient files were the target of the attack,” the press release stated. “Further, investigators could not conclusively determine if there was, in fact, a PHI breach at all.”
Despite the lack of evidence that PHI was exposed, North Ottowa Medical Center has notified affected individuals and the Department of Health and Human Services of the incident. It has also offered affected patients complimentary identity recovery assistance services for a year.
Bizmatics, a 15-year-old health IT company that serves over 15,000 medical professionals, has recently been involved in several potential healthcare data breaches after hackers gained access to its servers.
Last month, Integrated Health Solutions, PC, notified 19,776 individuals of a possible EHR breach after Bizmatics told them that their patient files may have been exposed in a hacking incident.
Another healthcare organization contacted over 87,000 patients following reports of unauthorized disclosure of PHI at Bizamatics. The Southeast Eye Institute stated that the hackers had accessed the vendor’s servers starting in January 2015, but it was not notified of the incident until March 2016.
CO healthcare practices notifies 1,835 patients of potential PHI breach
A Colorado-based healthcare office has reported a possible PHI breach after a former employee emailed patient information to her personal email in May.
The Office of Civil Rights data breach tool reported that 1,835 individuals were affected by the unauthorized disclosure incident.
In a notice on its website, Lasair Aesthetic Health stated that a former manager used her work email account on her phone to forward documents containing patient lists and data to her personal email account after her resignation.
PHI that may have been involved in the potential breach includes names, amount patients spent, credits with Lasair during 2015, and, in some cases, treatment results and photographic images without faces showing.
After discovering the incident, the healthcare office has ordered the former employee to destroy the documents and not use the patient information. The individual confirmed that the documents have been deleted, but Laiser is still seeking an injunction to ensure that the information cannot be used or disclosed. It has also reported the healthcare data security event to the police.
To prevent future incidents, Lasair has researched methods for upgrading its information technology system to further restrict the abilities to access, copy, and move files from the office’s network. The healthcare office also assessed its patient privacy and security safeguards.
Additionally, Lasair updated its patient privacy policies and it will require all staff to review and understand the new procedures.
Lasair has collaborated with a data breach services company, which will be mailing notification letters to all individuals.
Kaiser Permanente reports possible PHI breach after theft of ultrasound units
The theft of several ultrasound machines caused a potential healthcare data breach affecting 1,100 members of Kaiser Permanente, an integrated managed care system that maintains healthcare coverage for 9 million individuals.
According to a statement on its website, two former employees stole an undisclosed number of ultrasound units. After recovering a “significant portion” of the stolen machines, the health plan company discovered that the units contained ePHI, such as names, medical record numbers, and medical images.
The stolen machines were found in a locked storage unit, but some units have yet to be located.
Kaiser Permanente stated that the only purpose for the theft was to sell the units for profit and not disclosing or misusing PHI. There is no evidence that ePHI was accessed by an unauthorized entity.
In response, the health plan system has launched an investigation to identify which members may have had their information exposed by the incident and contacted local law enforcement officials. It has sent notifications specifically addressing the ePHI data elements found for each affected individual.
“Kaiser Permanente is committed to protecting the confidentiality of our members’ personal information,” explained the statement. “We are continuing our investigation of this incident and are taking appropriate actions to prevent similar errors in the future. We are cooperating fully with law enforcement in this matter.”
Inappropriate employee access causes possible healthcare data breach
Following an internal audit in May, Providence Health and Services in Oregon discovered that a former employee may have inappropriately viewed patient records, reported KGW.com.
The organization has notified 5,400 current and former patients of the possible healthcare data breach.
During the audit, Providence Health and Services discovered that a worker had accessed patient records between July 2012 and April 2016. The employee viewed demographic and treatment information and may have seen health insurance information and Social Security numbers.
Providence Health and Services stated that it does not believe the worker had misused or disclosed the patient information.
However, the healthcare organization has terminated the employee, according to the report.
In response, Providence Health and Services has apologized for the potential breach and offered affected individuals a year of free credit monitoring. It has also reported that it is implementing additional security measures.