- Baltimore-based CareFirst BlueCross BlueShield admitted March 30, 2018 that the personal data of 6,800 CareFirst members may have been exposed by a phishing attack that compromised an employee’s email account.
Information that could have been exposed includes names, member identification numbers, dates of birth, and, in a few cases, Social Security numbers. CareFirst stressed that no medical or financial information was compromised.
The hackers gained access to the employee’s email and used the account to send spam emails outside of CareFirst. Through that access, the attackers could have accessed members’ personal data.
CareFirst said that there was no evidence that malware had infected its systems and no evidence that member information had been misused because of the breach.
The healthcare group said it would provide free credit monitoring and identity theft protection for two years.
Although this security breach was comparatively minor, BlueCross BlueShield affiliates have been plagued by data breaches over the years, resulting in the release of healthcare data and other personal information on millions of members.
Milligan Chiropractic Says Employee Lost Laptop with Patient Data
San Diego-based Milligan Chiropractic Group announced March 30, 2018 that an employee’s laptop containing patient data, including names, dates of birth, and clinic and progress notes, was stolen.
Although Milligan Chiropractic did not disclose the number of patients affected, the Office of Civil Rights listed the number at 2,640.
The healthcare provider stressed that the laptop was password protected and that it was not aware of any misuse of the information. Interestingly, it is not offering free credit monitoring services to possible victims, instead recommending instituting a credit report fraud alert.
The company said it is implementing increased electronic safeguards and HIPAA-compliant cloud storage and reviewing policies and procedures on secure storage of personal information.
Cambridge Health Alliance Cops to Data Breach Involving More Than 2K Members
Cambridge Health Alliance (CHA), a healthcare provider located north of Boston, said March 28, 2018 that a data breach exposed member billing information from 2013, including names, addresses, phone numbers, dates of birth, Social Security numbers, charges for past healthcare services, and discharge dates.
CHA was informed on January 31, 2018 by the Everett Police Department that the billing information on members was found in the possession of an unauthorized third party. The organization then launched its own investigation into the data breach and discovered that billing information, but no medical data, was compromised.
CHA said that it found no evidence that the information was used to conduct credit card fraud, but it is providing free credit monitoring services and identity protection services for one year to individuals whose Social Security numbers were stolen.
inSite Digestive Care Gets Heartburn from Patient Records Breach
inSite Digestive Care said in an online statement that in January 2018 someone broke into two storage lockers used to store patient records and may have viewed and/or removed patient files.
The files contained patients’ names, addresses, dates of birth, driver’s license information, Social Security numbers, insurance information, Medicare numbers, pathology lab orders, indications, provider information, and other health information.
The clinic did not disclose the number of patients impacted by the breach but said that the breach affected only patients who had pathology tests processed in 2017. The Office of Civil Rights said that 1,424 individuals were affected.
inSite Digestive Care said it was offering one-year free credit monitoring and identity protection services to patients who may have had their Social Security or Medicare information exposed.
Curry Health Network Says Vendor Data Breach May Have Exposed Employment Data
Curry Health Network (CHN), a healthcare provider on the southern Oregon coast, said that a third-party vendor it uses for website services had a data breach that may have compromised personal information on people who filled out the CHN employment application form.
The attackers were able to access information provided in the forms submitted online and stored in a database located on the servers of the third-party vendor, FastHealth.
CHN stressed that no health Information protected by HIPAA, medical records, patient portal data, online bill pay information, or any other forms on the web site or linked to or from the website were compromised.
FastHealth is offering free identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration, for one year to everyone affected by the breach.
“To be clear, this incident is a FastHealth security issue; it is not a Curry Health Network security issue and does not reflect on the security of the CHN data systems. Additionally, the security of the website does not fall under the purview of the Curry Health Network IT department, but rather to the vendor,” CHN emphasized in its statement.
Middletown Medical Data Breach May Have Exposed Radiology Reports, Images
NY-based healthcare provider Middletown Medical announced March 29, 2018 that a data breach in January 2018 could have exposed names, birth dates, client IDs, and treatment information, such as radiology reports, on an undisclosed number of patients.
Middletown Medical said that a security setting on a radiology interface may have enabled unauthorized users to see electronic patient information, including radiology reports, images, and diagnoses. The provider stressed that Social Security numbers and other electronic medical records were not compromised.
The healthcare provider said that it is taking steps to prevent a future breach, including modifying equipment interfaces to secure information, implementing safeguards to secure documents, and providing additional employee training about securing information systems.
Middletown Medical is providing free identity theft recovery services through ID Experts for one year. It is also advising patients to monitor account and benefit statements and report any “unfamiliar” healthcare service charges to their insurers.