- Central Ohio Urology Group (COUG) reported that a data security incident may have exposed the information of patients, employees, and individuals who paid for medical services.
An unauthorized individual reportedly posted files and documents to an online drive accessible on the Internet on August 2, 2016, COUG said in a statement on its website. The OCR data breach reporting tool states that 300,000 individuals were affected by the incident.
COUG added that the information exposed may vary by individual, but it may have included names, addresses, telephone number(s), emails, dates of birth, Social Security numbers, driver’s license/state identification numbers, patient identification numbers, medical and health plan information, account information, diagnoses or treatment information, health insurance information and identifiers, and employment-related information.
The information was removed from the drive within hours, according to COUG. The organization also contacted local law enforcement and hired a forensics firm.
“We carefully reviewed the posted files and documents to determine what types of information had been put online and which individuals may have been affected,” the statement reads. “Additionally, we installed network monitoring software, implemented a new firewall, added access restrictions and began updating system protections to help prevent this type of incident from recurring in the future.”
COUG will also be offering one year of complimentary identity protection services to individuals who were potentially affected.
Potential HIPAA violation at army hospital system
Georgia-based Martin Army Community Hospital stated on its website that “all patients who received care” should know that a potential HIPAA violation occurred at the provider between January 2011 and December 2013.
Martin Army reported that it was informed that one of its employees in the laboratory shipping section had been involved in identity theft. The employee in question was removed from employment in January 2014, was tried, and is currently serving time.
“The hospital was notified by law enforcement in January 2014. After an extensive investigation of computers, and computer systems, the Criminal Investigation Division did not detect the employee taking information from the electronic health record,” Martin Army explained. “Neither the Department of Justice nor the Internal Revenue Service, which were the primary agencies conducting the investigation, can release the names to U.S. Army officials for proper PHI breach notification. The Internal Revenue Service (IRS) has contacted those affected by fraudulent tax filings.”
The statement did not specify how many individuals were affected by the potential HIPAA violation.
Ransomware attack hits Mississippi facility
Urgent Care Clinic of Oxford in Mississippi recently announced on its website that it had been the victim of a ransomware attack over the summer.
The server was attacked in early July, but Urgent Care discovered the breach on August 2, 2016. After regaining control of the server, the clinic shut down its remote access to prevent the same type of incident from happening again.
“The investigation revealed it is very likely that the attack was carried out by criminal Russian hackers,” Urgent Care said in a letter signed by Dr. Willis Dabbs and Dr. David Coon. “Unfortunately, we cannot say which patients specifically may have been affected by this data breach.”
Information potentially accessed included patients’ names, Social Security numbers, dates of birth, and other personal information. Any health information on file was also illegally accessed.
The statement did not specify how many patients may have been affected.
Urgent Care urged individuals to regularly check all credit and bank accounts to monitor for any suspicious activity. It is also offering one year of complimentary identity protection services as “an added measure of security.”
“We understand this may pose an inconvenience to you, and we sincerely regret that this situation has occurred,” Dabbs and Coon wrote. “Urgent Care is committed to providing quality care and service to all its patients, and that includes keeping your personal information as safe and secure as possible.”
Patient data possibly accessed after employee email account infiltrated
California-based Apria Healthcare said in a press release that an employee’s email account was inappropriately accessed, which may have led to some patients having their personal information accessed.
Apria discovered that the email account was inappropriately accessed on August 5, 2016, and promptly hired forensics experts and launched an internal investigation.
The email account had data with a combination of names, dates of birth, patient identification numbers, Social Security numbers, diagnosis information, doctor's name, types of medical equipment requested, treatment locations, medical record numbers, driver's license or state identification numbers and/or health insurance information.
“Letters to those impacted by the incident are being mailed,” Apria explained. “These letters include an explanation of the incident, an offer of credit monitoring and identity restoration services and information about additional ways impacted individuals can protect themselves.”
Patient data lost after CA ransomware attack
Marin Healthcare District announced that it recently discovered that the company that provides it with business and health care system services experienced a ransomware infection.
Marin Medical Practices Concepts, Inc., (MMPC) had the ransomware attack, and was then working to recover from the malware. However, during the restoration process, a backup system failed which then caused data collected at the district’s nine medical care centers between July 11, 2016 and July 26, 2016 to be lost.
The data included vital signs, limited clinical history, documentation of physical examinations, and any record of the communication between patients and their physician during a visit in that 15 day period.
The online statement did not specify how many patients were potentially affected.
“We sincerely regret any inconvenience this incident has caused to our patients or physicians,” Marin Healthcare District CEO Lee Domanico said in a statement. “Our community can rest assured that the Marin Healthcare District will continue to work side by side with our vendors to ensure that all of our data is protected with today’s most advanced technology to reinforce their security systems against the most aggressive threats.”