- Brevard Physician Associates announced on its website that it was burglarized on September 4, 2017, raising possible health data security concerns for 7,976 patients.
The Melbourne, Florida-based facility stated that it was notified on September 4 that its security alarm had been tripped. An employee then discovered that three computers were missing from the office, one of which contained five audit files that held the patient records.
Information in the audit files included patient names, the names of patients’ insurance providers, the amount charged for the services provided, and the CPT codes of the services provided. However, patient addresses, dates of birth, telephone numbers, Social Security numbers, insurance ID numbers, and financial information were not included.
“We believe that the information contained on the stolen computers presents a minimal risk of future identity theft or financial fraud,” Brevard stated. “All three computers were password protected with strong passwords. Additionally, all of the data from all three computers will be automatically deleted upon their connection to the internet.”
Brevard added that it has “enhanced the security” at its office and put in additional policies to ensure it is “appropriately secured in the future.”
Affected patients will also be offered one year of complimentary credit monitoring service.
Stolen laptop possibly impacts 5.8K patients at VA facility
Martinsville Henry County (MHC) Coalition for Health and Wellness recently posted a HIPAA breach notification concerning its Bassett Family Practice.
A laptop was stolen out of a Bassett employee’s car, likely between the evening of August 12, 2017 and on the morning of August 14, 2017, which is when the theft was discovered.
There is no reason to believe that the information on the device was specifically sought after, or that it has been accessed, Bassett stated. The laptop’s activity is also being monitored, and its contents will be immediately wiped if it is used to access the internet.
The OCR data breach reporting tool states that 5,806 individuals may have been impacted.
Information possibly on the laptop includes patient names, dates of birth, account numbers, identity of providers, and/or details about patient visits with the practice. There is currently no indication that Social Security numbers or financial information was on the device.
“We are currently upgrading our IT security policies, procedures and related equipment to prevent future information from being stored on a laptop in an unencrypted manner,” Bassett said. “Please understand we value our relationship with you and take the security of your personal information very seriously. We have taken immediate steps and we will continue to evaluate our technology, policies and procedures in our efforts to prevent another occurrence such as this from happening in the future.”
Affected individuals were urged to regularly review their account statements and credit reports, and that they can consider fraud alerts or credit freezes to prevent potential identity theft.
Employee inappropriately accesses data of 1.2K patients
Bogalusa, Louisiana-based Our Lady of the Angels Hospital notified LSU Health Care Services Division on August 11, 2017 that a hospital employee admitted to inappropriately accessing patient information during their time of employment. The access occurred until March 17, 2014.
The individual’s employment was terminated, and an investigation did not reveal any evidence that the former employee used or shared any of the data.
The access also reportedly occurred when the hospital was under the management of LSU Health Care Services Division as Bogalusa Medical Center.
LSU Health Care Services said it began its own investigation on August 24, 2017, after receiving enough information to do so. Employment records showed that the individual may have been inappropriately accessing Bogalusa Medical Center’s patient information from February 19, 2003, through March 17, 2014.
Possibly accessed information includes patients’ names, addresses, dates of birth, Social Security numbers, insurance identification information, dates of service, reasons for service, diagnoses, and physician orders.
OCR reports that 1,200 individuals may have been affected.
There is no indication that any patient data is at risk, the LSU Health statement read. The former employee said the access occurred out of curiosity, and there is no reason to believe that identity theft will take place.
“LSU Health Care Services Division sincerely regrets any inconvenience or concern this incident may cause its former patients,” the organization said. “Strict privacy and security policies are in place now and were in place during operation of Bogalusa Medical Center. Although LSU Health Care Services Division no longer operates Bogalusa Medical Center, it is still committed to the security of its former patients’ protected health information.”
Former employee emails patient info to personal email account
Texas Children’s Health Plan reported that one of its former employees emailed the information of 932 members to a personal email account. Sending the emails was against company policy, the health plan stated, and occurred in November and December 2016.
Texas Children’s learned of the incident on September 21, 2017, and said that there is no indication that any of the data was used inappropriately.
The information involved includes names, addresses, telephone numbers, dates of birth, Medicaid numbers, waiver type, STAR Kids manager’s name and group, and information from a budget worksheet.
“We deeply regret any inconvenience or concern this may cause you,” Texas Health stated. “We have implemented additional safeguards and re-educated employees on protecting personal information.”