- Catholic Charities announced that its Glens Falls office experienced a healthcare cyberattack on a server containing information of approximately 4,600 current and former clients and several employees.
Unauthorized software was discovered on the server during compute security upgrades, the organization said in its online statement. The incident was discovered on August 30, 2017, with a forensic analysis determining that the server access may date back to 2015.
Personal health information may have been accessed in some cases, including names, addresses, dates of birth, dates of services and diagnosis codes, along with some health insurance identification numbers, which may include Social Security numbers.
Individual case treatment or therapy notes, financial information, and banking information were not stored on the server. Data on Catholic Charities donors or clients of other agencies also were not affected.
“We take very seriously our responsibility for protecting private information, and we sincerely apologize for any inconvenience this may cause our clients and staff,” Sister Charla Commins, CSJ, Executive Director of Catholic Charities of Saratoga, Warren and Washington Counties, said in a statement. “Our mission is to help people in need, and as we do this work every day, we are always mindful of our responsibility to protect the information they share with us. We have modern digital security measures in place, but every day it seems criminals intent on invading computer systems find new ways to do so.”
Catholic Charities added that it is offering one year of complimentary identity theft and credit monitoring services to individuals who were potentially affected.
Valley family medicine data breach affects 8.4K patients
Virginia-based Valley Family Medicine (VFM) reportedly had a data breach in July 2017 when two employees printed out a mailing list of patient names and addresses. One employee then used that list to mail notifications to patients that the employee was starting a new practice and patients were invited to visit, according to a News Leader report.
The incident was discovered on September 15. The only information involved were names and addresses, VFM told the news source. Identifying data, financial information, and patient health records were not involved.
The OCR data breach reporting tool states that 8,450 individuals may have had their data impacted.
VFM added that the employee actions were in direct violation of written agreements and that the two individuals no longer work for VFM or have access to its information.
Unsecure cloud-based server impacts FL patients
Blue Cross and Blue Shield of Florida, Inc., dba Florida Blue, reported that certain individuals may have had some of their personal information exposed through data being stored an unsecured cloud-based server through an unaffiliated agent.
Florida Blue was notified on August 30, 2017 that approximately 475 of its applications were stored on the server, which was used by Real Time Health Quotes, LLC (RTHQ). An investigation determined that RTHQ used the server to backup information, such as copies of health, dental and/or life insurance applications.
The stored applications were dated 2009 to 2014 and may contain Social Security numbers, dates of birth, demographic information, medical history, and limited banking/payment information.
There is no indication that the data was misused in anyway, and RTHQ also “took appropriate steps to safeguard this server against unauthorized access once notified of the security vulnerability,” Florida Blue stated.
“Florida Blue does not have a relationship with RTHQ,” the statement read. “We are taking additional steps to determine how RTHQ acquired this application information and why RTHQ stored this information on an unsecured server.”
Florida Blue added that it is offering potentially affected individuals two years of complimentary identity theft protection, detection and resolution services.
While Florida Blue reported 475 individuals as possibly being impacted, the OCR data breach reporting tool shows an incident with Florida Blue that has 939 affected individuals. The OCR incident also says the breached information was with paper/films.
Experian computer upgrade leads to PHI security breach
Cook County Health and Hospitals System (CCHHS) said on its website that certain PHI may have been sent to other healthcare facilities during an Experian computer system upgrade.
Experian notified CCHHS on August 1, 2017 that the computer upgrade took place in March 2017. Information sent to other facilities included names, account numbers, medical record numbers, and dates of birth.
OCR states on its reporting tool that 727 individuals may have had their information involved.
CCHHS added that it is looking at what happened, working to understand the events, and is discussing the issue with Experian.
“We know you trust us and our vendors with your confidential information and we have a duty to keep that trust through our actions,” CCHHS said. “We apologize for this breach. We – and our business partners – must and will do everything we can to protect our patients’ privacy.”