Healthcare Information Security

Latest Health Data Breaches News

Geisinger Health Plan PHI Disclosure Affects 2,800

Several recent cases of potential health data breaches and PHI disclosures include cases of processing error, missing patient records, and improper PHI disposal.

By Elizabeth Snell

Geisinger Health Plan (GHP) recently announced that it experienced an unauthorized PHI disclosure affecting 2,814 members from 220 employers.

PHI disclosure reported in several practices

GHP said it learned on August 4, 2016 that a processing error had taken for July 30, 2016 invoices. The error may have led to PHI “being mistakenly mailed to private citizens,” the health plan said in its statement. GHP added that the error has since been fixed.

Member name, date of birth, health insurance premium information, member identification number and smoking status were included on the invoices. Medical treatment or financial information, such as Social Security numbers, were not included, according to GHP.

“We have contacted both the affected members and businesses regarding the processing error and the possibility of a disclosure,” Geisinger Privacy Officer John Gildersleeve said in a statement. “In addition, we have requested that the invoices be returned so they can be properly destroyed in compliance with Geisinger Health System policies and procedures.”   

Gildersleeve added that if individuals did not receive a notification letter, then their PHI was not included in this incident.

READ MORE: PHI Security Compromised as Hacker Posts 655K Records

“We take our responsibility to protect personal information seriously,” he said. “We apologize for any inconvenience and remain dedicated to safeguarding member information.”

PHI breach after binder reported missing

An Oberlin, Kansas facility reported a PHI breach after it was discovered that a CAT scan log binder was not in its typical location.

Decatur Health Systems (DHS) explained in an online statement that the binder was likely taken from DHS between 5pm on July 22, 2016 and 7am on July 25, 2016. The information in the binder held data on 707 patients, and included patient names, dates of birth, dates of exams, diagnoses leading to the CAT scan, ordering providers, and x-ray exposure levels. Social Security numbers were not included.

DHS added that it is working with local and federal law enforcement agencies to retrieve the binder, find who removed it, and determine how the patient information may have been used:

READ MORE: Vendor Error Leads to Another Possible Healthcare Data Breach

DHS knows the importance of keeping protected health information private and sincerely apologizes to the patients whose names were in the binder. They are working to ensure all patient information contained in other hard copy records and other sources of patient information are secure. They have changed key locks within the facility, conducted audits, and implemented new policies and processes. DHS employees have received additional training on security beyond their annual education and training.

DHS Privacy Officer Erica Fortin said that potentially affected individuals will receive a notification letter. Should patients have further questions they are encouraged to reach out to her.

Calif. doctor reports improper disposal of information

Los Banos, California-based Dr. Pratap Kurra was told on August 9, 2016 that papers related to his practice were found in in a trash container.

Kurra explained in a press release that an investigation revealed that one day prior, “billing tickets used by his practice were accidentally thrown away during his move.” However, all records were retrieved within 24 hours.

READ MORE: LabMD Files Review Petition Against Data Breach Allegations

“Dr. Kurra was in immediate contact with hospital administrative staff, he discussed this matter with his staff to ensure such an event does not happen again, and he notified the appropriate state and federal agencies about this incident including the California Attorney General and Health and Human Services Department,” the statement explained.

Potentially exposed information includes patient names, procedure type, surgeon, Dr. Kurra's name as the anesthesiologist, hospital, date, and time of procedure, type of anesthesia used, and difficulty of case. However, Social Security numbers, dates of birth, financial information, medical insurance information, patient identification numbers, and contact information were not included in the billing tickets.

While the release did not specify how many patients were potentially affected, it did state that it was limited to patients from December 1, 2011 to April 30, 2016.

Electronic file system accessed by unauthorized party

University Gastroenterology (UGI) in Rhode Island recently announced that some personal information and PHI may have been exposed after an unauthorized party accessed an electronic file system.

UGI discovered on July 11, 2016 that the system was accessed, and that several files were then encrypted. UGI had reportedly acquired the system from Consultants in Gastroenterology in 2014.

“We take the privacy and security of personal information very seriously, have already taken steps to prevent a similar event from occurring in the future, and are making additional security enhancements to protect the privacy and security of patient information,” UGI said in its statement. “This includes deploying an enhanced anti-malware solution to every computer and server within our system, disabling inactive user accounts, and removing the affected servers from our network.”

While patients’ medical records were not included in the files, they may have contained patient names, addresses, dates of birth, Social Security numbers, and medical billing information.

UGI added that it is not aware of any attempted or actual misuse of patient information. Even so, individuals who receive a notification letter are encouraged to enroll in the complimentary identity protection services UGI is offering.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks