- A series of programming and printing errors resulted in Explanation of Benefits (EOB) letters being sent to the incorrect CarePlus Health Plan members, an organization spokesperson confirmed to HealthITSecurity.com. Approximately 11,200 individuals may have had their information involved in the PHI data breach.
The disclosed information included member names, CarePlus Health identification numbers and plan names, date(s) of service(s), provider of services, services provided. Personal financial information and Social Security numbers were not included in the EOB letters.
“To date CarePlus has no information indicating that any data has been inappropriately used,” the statement explained.
“While CarePlus has policies and procedures in place to maintain the security of its members’ information, we are taking additional steps as a result of this incident,” CarePlus continued. “These steps include enhancements to our printing software to prevent formatting errors, more rigorous testing procedures and implementation of additional quality audit controls of EOBs prior to mailing.”
Malware creates unauthorized access on UVA devices
An unauthorized third party may have been able to view patient information on a physician’s laptop computer and other devices, according to a University of Virginia (UVA) Health System statement. Malware on the physician’s devices allowed the unauthorized individual to see what the physician was viewing on his devices at the same time.
The access occurred from May 3, 2015, to December 27, 2016, with UVA Health System becoming aware of the issue on December 23, 2017.
“During this time period, the physician would conduct UVA Health System business from his devices, which included accessing medical records and other documents containing patient information,” UVA Health System stated. “The investigations could not rule out that the third party may have been able to view some patient information.”
Patients’ names, diagnoses, treatment information, dates of birth, and addresses may have been accessed. Social Security numbers and financial information were not viewable, the organization added.
UVA Health System spokesperson Regina Verde told NBC29 that 1,882 patients will be receiving data breach notifications from the health system.
Additionally, the FBI said a third party was arrested in the incident, and the individual “did not take, use or share” patient data in any way.
UVA Health System said in its statement that the health system is “enhancing the security measures required to remotely access UVA Health System information.”
California dentist reports PHI data breach in computer server
Cyber criminals accessed a business computer at White and Bright Family Dental, leading to a PHI data breach for certain patients, according to a notification letter.
The California-based organization said the access occurred on January 30, 2018, but added that there is no indication that information was copied or stolen.
The server contained patient names, addresses, telephone numbers, Social Security numbers, dates of birth, driver’s license numbers, insurance information, and dental histories, explained the notification letter, which was signed by Salih M. Mayalidag, DDS.
“This incident is currently under review by our practice, and in response we have heightened our security measures to prevent a future recurrence,” the letter read. “In accordance with our policies and procedures, please be assured that all necessary actions are being taken including notification of government agencies as required, including the active and ongoing investigation by the Fresno Police Department.”
White and Bright also urged potentially affected patients to consider placing a fraud report on their file through one of the national credit reporting agencies. Individuals should also review all of their health statements for accuracy and contact White and Bright if there appears to be an issue.
The letter did not specify how many individuals may have been impacted by the incident, and at the OCR data breach reporting tool did not have the data breach listed at the time of publication.