- Philadelphia-based Tandigm Health recently notified about 7,000 patients that their personal data may have been exposed for more than six months, due to a website vulnerability.
On Sept. 25, 2018, Tandigm officials discovered a potential website flaw and launched an investigation alongside a forensics investigation team to determine whether the data was breached. While officials did not discover evidence of unauthorized access, they couldn’t rule out compromise.
The patient data was exposed from April 24, 2017 to Dec. 31, 2017 and included names, dates of birth, medical data and health insurance information. No financial or credit card data was exposed. However, this type of data is commonly used to perform medical fraud and other types of scams.
Impacted patients are being offered two years of free credit monitoring and identity protection service. Tandigm has since added increased security to its internet-based platforms and bolstered staff data security training. Officials are also reviewing their privacy and security policies and enhancing current security tools.
Phishing Attack Breaches Data of 7,000 Patients in Georgia
A phishing attack on Georgia Spine and Orthopaedics of Atlanta potentially compromised the personal health information of about 7,012 patients.
According to officials, an unauthorized user hacked into an email attack, after an employee opened to a phishing email. The hacker used the attack to steal the employee’s email account password. Upon discovery, access to the account was terminated and officials hired a forensics team to investigate.
An investigation determined a single email account was compromised on July 11. While officials said the investigation concluded on October 26, they didn’t explain when the compromise was first discovered. The hack was contained to the single email account.
Due to the email account configuration, a copy of certain emails was potentially saved onto the hacker’s computer. Officials said that while the download was likely unintentional, “we had to assume that the third party retained a copy of that data.”
“We searched the emails to determine whether sensitive data was located within any of the emails that were potentially saved. Individual emails were then hand reviewed to obtain names and mailing addresses,” officials explained.
The investigators determined the emails contained patient names and other data typically contained in a medical record. For a small number of patients, Social Security numbers and driver’s license numbers were breached.
Three Massive Healthcare Data Breaches
This week, Atrium Health notified 2.65 million patients that their data was breached due to a hack on its third-party billing vendor, AccuDoc. Patient data was compromised for more than a week in what is the biggest healthcare data breach of 2018.
A HealthEquity email hack potentially breached the data of 190,000 customers. Two employee email accounts were hacked over the course of a month. It’s the second breach notification for HealthEquity this year.
The data of about 128,000 New York Oncology Hematology patients was breached after 15 employees fell victim to targeted phishing attacks in April. The first hack occurred on April 20 and a second attack on one employee account occurred for about six days on April 26.