- Another medical center has reported a potential healthcare data breach stemming from a hacking incident affecting EHR vendor Bizmatics, according to a HIPAA notification letter on the ENT and Allergy Center’s website.
The Office of Civil Rights reported on its data breach tool that 16,200 individuals were impacted by the healthcare data security incident.
The medical center reported that its EHR vendor, Bizamtics, had discovered that an unauthorized user had accessed its data servers, which stored and managed patient files. The outside party first hacked the data servers in early 2015 and continued to access EHR files until Bizmatics discovered the intruder later that year.
The vendor notified ENT and Allergy Center that some of its EHR files may have been viewed or acquired as a result of the possible data breach. Although, Bizmatics could not identify which patient files may have been exposed.
Bizmatics confirmed to the medical center that patient information that may have been affected included names, addresses, healthcare visit information, and the last four digits of Social Security numbers. However, the EHR files did not contain credit card numbers or any other financial information.
Upon discovering the possible healthcare data breach, Bizmatics contacted law enforcement officials and hired a private cybersecurity firm to secure its systems and investigate the event.
ENT and Allergy Center stated that it has notified all affected individuals and offered them free credit, fraud, and identity-theft monitoring services for a year. The healthcare facility has also established a toll-free phone number dedicated to answering questions about the healthcare data security incident.
Additionally, the healthcare organization reported that it is “in the process of implementing safeguards to protect your information.”
Bizmatics has also been involved in several other recent possible healthcare data breaches.
Last month, Pennsylvania-based Integrated Health Solutions PC reported that 19,776 individuals were notified of a potential EHR breach after an outside entity had accessed Bizmatics systems. Similarly, the EHR vendor could not confirm if patient files were accessed and what records were affected.
In another healthcare data security event, Bizmatics informed Southeast Eye Institute PA earlier this year that its EHR files may have been exposed in a hacking incident from January 2015. The organization reported that 87,314 individuals were affected by the incident.
There have been several other reports of possible EHR breaches caused by unauthorized access of data servers and systems at Bizmatics. However, the vendor has not released a statement addressing the incidents.
TX agency notifies 600 patients of possible PHI breach
The Texas Health and Human Services Commission has announced a possible PHI breach that has affected 600 individuals, reported a statement on its website.
The agency was notified by Iron Mountain, one of its contractors and a document shredding company, that 15 boxes containing client information went missing from the Irving, Fort Worth, and Dallas facilities.
The Texas Health and Human Services Commission had hired the company to destroy the client documents within the boxes because they contained confidential information from individuals who may have applied for medical assistance between January 1, 2008 and August 31, 2009.
Neither the agency’s statement nor the contractor have released information on how the boxes were misplaced.
PHI that may have been involved in the possible healthcare data breach included Social Security numbers, addresses, Social Security claim numbers, dates of birth, names, medical record numbers, Medicaid or individual numbers, case numbers, and bank account information.
In response, the Texas Health and Human Services Commission contacted all individuals who may have been affected by the healthcare data security incident and provided them with complimentary credit monitoring services for one year.
Additionally, the agency has taken steps to improve data security measures regarding confidential information.
“The agency is conducting an investigation into Iron Mountain's handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again,” explained the statement. “After the investigation is complete, HHSC [Health and Human Services Commission] will review processes and procedures, making any changes needed to prevent this type of event in the future.”
Police officer discovers abandoned medical records in public park in Indiana
The Indiana Attorney General is investigating a potential healthcare data breach after private medical records were discovered in recycling bins in a public park, reported an article on the TheIndyChannel.com.
A member of the Indiana Metropolitan Police Department found the medical records among other recycled materials in public dumpsters in the park. The file folders contained patient information, such as names, addresses, Social Security numbers, and insurance information.
In a statement to the news source, the Indiana Attorney General’s office stated that it is working with the police department and several waste or recycling processing companies who may have handled the abandoned files in order to obtain and secure them.
The office also reported that it can review the possible healthcare data breach and seek enforcement actions for HIPAA and Indiana’s Disclosure of Security Breach law violations.
As part of its review, the Attorney General’s office plans to work with affected individuals to help prevent potential fraud and connect them to their lost files.
Additionally, it has encouraged all private individuals to immediately report abandoned medical records or other documents containing personal identifying information to the Indiana Attorney General’s office. The office typically takes possession of these records to ensure they are secured and are not misused.The Attorney General did not disclose how many medical records were found or what healthcare practices may be involved.