- Three recent different health data breaches affected individuals in New Hampshire, New Jersey, and New York. While not connected, these incidents further underline the importance for comprehensive security measures. Anything from human error to unauthorized access by a third-party could create privacy issues for a healthcare organization.
Facilities must have current administrative, physical, and technical safeguards in place to best prepare themselves and keep patient data secure.
Buffalo Heart Group suffers computer breach
New York’s Buffalo Heart Group, LLP announced that a serious computer breach took place in Spring 2014, potentially affecting 500 to 600 patients. Information exposed includes patient names, dates of birth, addresses, telephone numbers, e-superbills, and appointment schedules. However, Social Security numbers, health information and financial information were not included.
"The recently completed internal investigation indicated insider wrongdoing resulted in the access of certain health information by unnamed third parties operating under the direction of a physician then associated with the medical practice and used by the physician to solicit patients in connection with the physician’s new employment,” according to a statement by the law firm Hurwitz-Fine that was published by WKBW Buffalo.
The law firm added that here has been no unauthorized access since June 2014, and it is also “unlikely that any precautionary or preventative measures are required to be taken by affected individuals.” Notification letters were sent out and Buffalo Heart has reportedly notified HHS.
New Hampshire facility hit by health data breach
Unity Recovery Group, Inc. announced that personal information was “improperly disclosed” between April 2014 and March 2015. The statement did not specify how the breach took place, just that it “involved the disclosure of [patients’] personal information to one or more unaffiliated recovery and/or rehabilitation service providers, without [their] prior written consent.”
Affiliated companies including Starting Point Detox, LLC, Lakeside Treatment Center, LLC, Changing Tides Transitional Living, LLC, and Unity Recovery Center, Inc. were also affected, according to Unity’s statement.
Potentially exposed information includes names, addresses, dates of birth, addresses, telephone numbers, Social Security numbers, email addresses, insurance information, and/or certain health-related information.
“To protect against future incidents, we have undertaken additional technological security measures and implemented additional training of our employees to ensure compliance with Unity’s Policies,” Unity said. “We have also hired outside legal counsel to assist us with our investigation and Forensic Data Services, Inc., a technology forensics firm, to enhance the security of our IT systems.”
Unity explained in its notification to the New Hampshire Attorney General that the disclosure included fewer than 1,000 individuals’ personal information. Affected individuals reside in various states, but none included more than 500 patients.
Complimentary identity and credit protection services will also be offered for one year to those who were affected by the health data breach.
Employee sends emails with patient info. to wrong recipient
A New Jersey medical center employee accidentally emailed patient information to an unintended recipient, potentially affecting approximately 1,400 individuals.
Jersey City Medical Center reported that the email was sent on February 19, 2015 and was intended for internal use. The email included an attached spreadsheet with some patient information, the statement said.
Information in the spreadsheet included patient names, health insurance payors, dates of admission and discharge, a one-word description of the medical service department from which the patient received services, and patient Medical Center account number.
“The unintended recipient informed the Medical Center of the mistake on the same day that the email was sent,” the medical center explained. “The Medical Center attempted to obtain official confirmation that the email was completely deleted and the information was not further disclosed. Unfortunately, such confirmation has not yet been received.”