- Missouri-based Burrell Behavioral Health recently announced that it was the victim of a cybersecurity attack after an employee’s email account was accessed by an unauthorized party.
Burrell made the discovery on July 7, 2016 and immediately launched an investigation. The account was also secured, according to a company statement. The investigation revealed that the unauthorized access potentially occurred from July 6, 2016 to July 7, 2016.
Burrell also determined that clients’ names, addresses, dates of birth, Social Security numbers, doctor’s names, diagnoses, disability code, health insurance number, treatments, treatment locations and medical record numbers may have been in the accessed email account.
“We take any threat to the security of information entrusted to us very seriously,” Burrell President and CEO Dr. Todd Schaible said in a statement. “Once the attack was discovered, we immediately took counter measures and also hired nationally-renowned computer forensic investigators to determine exactly what happened and what information was at risk. We apologize for any inconvenience or concern this incident may cause our community.”
The OCR data breach reporting tool states that 7,748 individuals may have had their information exposed in this incident.
Burrell stated that the patient PHI in the email account was accessed or acquired, but that “information at risk varies for each individual.”
Possibly affected individuals are being offered access to one year of complimentary credit monitoring and identity restoration, the facility said. Burrell added that individuals should “remain vigilant against identity theft, especially this time of year.”
Stolen laptop affects 1,400 US HealthWorks patients
A U.S. HealthWorks employee’s laptop containing patient information was stolen on July 18, 2016, according to a company statement.
While the device was encrypted, the laptop’s password was also stolen. Therefore, the thief may be able to access the information on the device, U.S. HealthWorks said.
Emails on the computer may have “contained information for a limited number of individuals.” Financial or account information were not included. However, full names and possibly some limited medical information, including diagnoses and visit dates, and limited health insurance information may have been included.
“To help prevent something like this from happening again, we are enhancing our existing procedures related to the security of laptops and user passwords, as well as providing additional information security training for all U.S. HealthWorks employees,” the statement reads.
OCR reports that 1,400 individuals may have had their information compromised.
Letters to those individuals began to be sent out on September 2, 2016, U.S. HealthWorks said. If an individual believes he or she was affected, and has not received a letter by September 17, then they are encouraged to reach out to the organization.
Dental patient information potentially exposed in server access
King of Prussia Dental Associates and its affiliate Pediatric Dentistry of Collegeville (KOP Dental) recently announced that some patient information may have been exposed following unauthorized server access.
KOP Dental “detected irregular activity on a computer server” on or about June 1, 2016. A forensics firm determined on June 23 that a third party may have gained unauthorized access to the KOP Dental and Pediatric Dentistry of Collegeville computer network.
The server in question contained patient information, including names, Social Security numbers, dates of birth, home addresses, phone numbers, account numbers and treatment records.
“The impacted server was immediately taken out of operation, and the investigation has revealed no evidence that any information was acquired or used inappropriately,” King of Prussia said in its statement. “KOP Dental recommends that patients remain vigilant, and is offering credit monitoring and identity theft protection services.”
King of Prussia added that it is “working to enhance the security of its systems to protect from further unauthorized access and cooperating with law enforcement to help prevent something like this from happening again.” This includes improving data security on its web server infrastructure, strengthening existing network firewalls, and “incorporating best practices in IT security.”
Inappropriate employee access leads to data security incident
Medford, Oregon-based Asante recently reported a data security incident stemming from inappropriate employee access may have exposed some patient information.
The access occurred on July 13, 2016, and Asante immediately launched an investigation into the employee.
“While Asante cannot provide details regarding the outcome of this internal investigation, we can assure you that we applied our employment policies and processes appropriately,” Asante said in its statement. “A final audit of the employee’s actions showed that the employee inappropriately accessed records from August 18, 2014 to July 21, 2016.”
Potentially exposed information includes patient names, dates of birth, medical record numbers, medications, diagnoses, and lab results. However, Social Security numbers, financial, and account information were not included.
There is no indication that patient information has been misused or that it will be in the future, according to Asante.
“To help prevent a similar incident from occurring in the future, we are implementing mandatory re-education of workforce members on appropriate access to protected health information and will continue to audit employee access to patient information.”