- A pair of dermatology clinics reported to OCR this month healthcare data breaches that exposed PHI on a total of 5,375 patients.
Maryland-based Anne Arundel Dermatology told OCR on August 9 that 1,310 individuals were affected by the theft of paper records.
In a statement, the clinic said a burglar broke into a locked cabinet at its Quarterfield medical office and stole cash and check payments from patients, as well as the daily payment logs containing payment information for two of its medical offices.
The stolen documents may have included patient name, address, billing code, reason for patient visit, method and amount of payments, and bank account information.
Anne Arundel Dermatology advised patients who paid by check at its Quarterfield office between June 1-8 or at its Columbia office between June 7-8 to contact their bank to stop payment. It stressed that no credit card numbers, Social Security numbers, or insurance data was stolen.
In a separate incident, Colorado-based Central Colorado Dermatology told OCR on August 3 that an IT incident affected 4,065 individuals.
In a statement, the clinic said it discovered on June 5 that attackers had penetrated its network, launched ransomware that encrypted certain files, and could have gained access to certain information on its server.
Information that may have been accessed by the attackers included patients’ full names, dates of birth, mailing addresses, phone numbers, email addresses, Social Security numbers, insurance carriers, insurance payment codes, payment information, dates of service, medical conditions, diagnoses, medications, labs and diagnostic studies, and copies of notes or reports by the clinic or other healthcare providers.
“We did not find evidence of any patient files being opened on CCD’s computers, but because some of the software installed by the hackers could have been used to download computer files and some files were encrypted, we cannot be sure that health information was not compromised,” the clinic said in its statement.
The clinic said it is providing free online credit monitoring service to victims for one year.
“Because of this incident, we have made changes to how our network may be accessed and modified network password requirements. We have implemented new anti-virus software and are analyzing and considering further upgrades to our system in consultation with seasoned IT professionals. We have verified that incoming faxes are not being saved as digital images on any network computer. We are reinforcing and providing additional security awareness training to our workforce,” the clinic related.
PHI of 38K Patients Exposed in Legacy Health Phishing Attack
Oregon-based Legacy Health said August 20 that PHI on 38,000 patients may have been exposed in a May phishing attack.
Legacy Health learned on June 21 that some employees’ email accounts were compromised by an unauthorized third party as a result of the phishing attack.
Information that may have been exposed included patients’ name, dates of birth, health insurance information, billing information, medical information and, in some cases, Social Security numbers and driver’s license numbers.
The health system said it is providing free credit monitoring to patients who had their Social Security number exposed.
“To help prevent something like this from happening in the future, we are implementing additional access restrictions,” it said.
And Finally This Month…
Here are healthcare data breaches reported to OCR this month for which no additional information was available.
- Chapman & Chapman, an Ohio-based employee benefits consulting firm, reported to OCR on August 17 that it experienced an email hacking incident that affected the PHI of 2,032 individuals.
- Wells Pharmacy Network, a Florida-based compounding pharmacy, told OCR on August 10 that unauthorized access/disclosure involving email, laptop, and other portable electronic device affected the PHI of 10,000 individuals.
- CoreLink Administrative Solutions, a North Dakota-based healthcare benefits technology company, reported to OCR on August 6 that an email hacking incident exposed PHI of 1,813 individuals.
- Canyon Road Chiropractic and Massage, an Oregon-based chiropractor and massage therapist, told OCR on August 3 that a network server incident exposed PHI of 2,900 individuals.