- A Connecticut-based podiatry group is facing a possible healthcare data breach that has impacted approximately 40,491 individuals after hackers accessed network services, according to the Office of Civil Rights data breach report.
An outside party had gained access to Stamford Podiatry Group’s systems, including its EHR database, reported the healthcare group in a notification letter on its website. The intruder may have viewed patient information between February 22 and April 14, 2016.
Personal information involved in the healthcare data security event included medical histories, treatment information, names, Social Security numbers, dates of birth, genders, marital statuses, addresses, phone numbers, email addresses, names of doctors, and insurance information.
After discovering the incident on April 14, the healthcare group launched a forensic investigation and terminated the unauthorized user’s access to its systems.
“We have also implemented and are continuing to implement additional security measures designed to protect our systems against future intrusions,” wrote Stamford Podiatry Group’s Vice President Rui DeMelo, DPM, FACFAS, in the letter. “We have retained cybersecurity experts to assist us in these efforts.”
While the healthcare group has attempted to notify all affected patients, Stamford Podiatry Group has also advised individuals to monitor financial and medical accounts for potential identify theft. Impacted individuals have been offered free credit monitoring services for a year.
Employee misuse results in potential healthcare data breach
Inappropriate access to patient information over seven years has resulted in a possible PHI breach at an Iowan hospital, announced a report by The Courier.
UnityPoint Health-Allen Hospital has notified about 1,620 patients that a former employee had improperly viewed PHI through the hospital’s EHR system. The incident was discovered on March 14, but an investigation revealed that the employee had been inappropriately accessing patient files since September 2009.
At the time, the employee was allowed access to the EHR system to do her job, but she did not have the authority to view the records for patients who are involved in this healthcare data security event. When the hospital detected the possible PHI breach, the employee’s EHR access was terminated and the staff member was disciplined according to hospital policies.
Patients may have had their names, home addresses, dates of birth, health insurance information, and treatment information disclosed in the incident. The report stated that less than 15 percent of affected patients may have had their Social Security numbers viewed.
“We apologize to our affected patients, and we accept our responsibility to keep this event from happening again,” UnityPoint Health-Allen Hospital’s Vice President for Institutional Advancement Jim Waterbury told The Courier.
The hospital has taken steps to prevent other healthcare data breaches, including additional training on proper access of EHR systems and performing more audits.
Stolen logbook leads to potential PHI exposure for AZ patients
A possible healthcare data breach was reported in Arizona after a physician’s logbook was stolen from a personal vehicle in March, according to an article on Tucson.com.
PHI may have been exposed for approximately 1,000 individuals who visited Carondelet St. Mary’s and St. Joseph’s emergency rooms between October 14, 2015 and March 25, 2015. The patient information contained in the logbook included names, dates of birth, ages, genders, hospital names, dates of hospital visits, hospital medical record numbers, hospital identification numbers, and descriptions of medical issues.
While the physician did not violate HIPAA rules by taking the logbook out of the hospital and leaving it in her person vehicle, the report noted that it was not a recommended practice.
In response, a representative from Arizona-based Emergency Medicine Associates released a statement about the possible healthcare data breach. The organization provides ER staffing coverage for the affected emergency departments and Carondelet Health Network deferred all questions to the staffing company because the incident did not involve Carondelet staff.
“EMA [Emergency Medicine Associates] takes safeguarding the privacy of its patients’ personal information very seriously,” said Privacy Officer for Emergency Medicine Associates Lori Levine, DO, FACEP, in a news release. “In response to this theft, EMA has reviewed and revised its policies regarding logbooks and provided additional training to its physicians so that incidents like this can be prevented from occurring in the future.”
Levine also stated that the staffing organization has provided additional HIPAA training and notified all affected individuals of the potential healthcare data breach.
Health plan’s vendor mis-mailing affects 591 individuals
About 591 individuals have been affected by a possible security incident involving a health plan organization, stated the Office of Civil Rights data breach portal.
In a statement on its website, Coordinated Health Mutual, Inc. confirmed the healthcare data security incident, which occurred after a vendor experienced an “internal, electronic sorting issue.” The vendor inadvertently printed and mailed about 650 incorrect or incomplete 1095-B forms.
A 1095-B form is a healthcare insurance form that verifies an individual’s health insurance coverage for a specific amount of time. The information on the form includes what type of coverage an individual has, any dependents on the policy, and the how long the policy was active.
Coordinated Mutual Health, Inc. explained that the misprinted forms either did not list a policyholder’s dependents or the incorrect dependents were displayed. Specifically, an individual may have received the information on another policyholder’s dependents.
After an investigation with the vendor, Coordinated Mutual Health, Inc. found that less than 800 dependents were listed on the incorrect policyholder’s form.
Affected individuals have been alerted of the security incident and the healthcare organization has encouraged all members to destroy or return any inaccurate forms they may have received.
Additionally, Coordinated Mutual Health, Inc. has offered identity protection services to any impacted dependent. Policyholders are expected to receive their corrected 1095-B forms with instructions on how to enroll in the services.