- The Employee Retirement System (ERS) of Texas reported to OCR on Oct. 15 that information on potentially 1.25 million people may have been exposed in a health data breach.
In a statement on its website, ERS explained that a coding error on its password-protected ERS Online portal allowed certain members who logged in with their username and password to view other members’ information. ERS said that members would have to use a specific function to input search criteria in order to view other members’ information.
Information that might have been exposed included first and last names, Social Security numbers, and ERS member identification numbers.
ERS said that when it found out about the problem on Aug. 17 it immediately shut down ERS Online and disabled the flawed search function. ERS Online was brought back online without the flawed search function.
ERS said it is providing free identity restoration services to those who might have been affected.
It has taken a number of steps to prevent this from happening in the future, including implementing controls on code design and code reviews, reviewing the coding for similar functions, and reviewing its manual and automated processes to improve protection of members’ data.
Yale Reports Breach Affecting 1,102, Faces Previous Breach Lawsuits
Yale University reported to OCR on Oct. 17 an unauthorized paper disclosure that exposed PHI on 1,102 individuals. No additional information was provided.
This comes after Yale admitted in July that a data breach occurred between 2008 and 2009 affecting 119,000 facility, staff, and alumni. In a release, Yale said that attackers gained access to a database stored on a Yale server.
The information exposed in the earlier breached included names, dates of birth, Social Security numbers, and email and physical addresses.
Two class-action lawsuits have been filed in federal court against Yale for the earlier breach, the New Haven Register reported.
CVMC Suffers Phishing Attack Putting PHI of 20K Patients at Risk
North Carolina-based Catawba Valley Medical Center (CVMC) announced Oct. 12 it suffered a phishing attack that succeeded in compromising three employees’ email accounts and exposed PHI on patients.
CVMC told OCR that 20,000 individuals may have been impacted by the breach.
An investigation by a forensic firm determined three email accounts could have been accessed between July 4 and Aug. 17.
Information that might have been compromised included patient names, dates of birth, health information about services, health insurance information, and, for some, Social Security numbers. It mailed out letters on Oct. 12 informing potential victims.
CHOP Admits to Email Breach Affecting PHI on 5,368 Patients
The Children’s Hospital of Philadelphia (CHOP) reported to OCR on Oct. 23 an email hacking incident that put PHI on 5,368 at risk.
In a press release, the hospital said that it discovered two email breaches that exposed PHI, including patient name, date of birth, and clinic information related to neonatal and/or fetal care provided at CHOP or at the Hospital of the University of Pennsylvania.
The first breach, discovered on Aug. 24, occurred when an unauthorized user gained access to a CHOP physician's email account. A second breach, discovered on Sept. 6, identified unauthorized access to an additional email account on Aug. 29. CHOP sent letters to potential victims on Oct. 23.
FirstCare Admits to Email Mistake That Exposed e-PHI on 8K Individuals
Texas-based FirstCare Health Plans reported to OCR on Oct. 12 an email error exposing e-PHI on 8,056 individuals.
In a press release, FirstCare said the breach may have compromised member name, identification number, treatment description, procedure costs, authorization number, and treating provider name.
FirstCare’s IT security team was alerted on Aug. 15 that e-PHI was emailed to an external account without encryption. The team discovered that beginning on March 22, 2017, through August 16, 2018, an automated daily report containing medical requests had been emailed to an unintended recipient.
FirstCare said it will offer free credit monitoring and reporting services to those affected.