Healthcare Information Security

Patient Privacy News

Healthcare Data Breaches Hit Calif. & Ill. Facilities

By Elizabeth Snell

Without the right physical, administrative and technical safeguards, facilities could face healthcare data breaches.

- Healthcare facilities must remain diligent in their security measures, whether it is preparing for potential online security threats or the physical loss or theft of a device. Healthcare data breaches cannot overlook one area while attempting to strengthen another. Without comprehensive security and privacy measures that all staff members are educated on, several types of healthcare data breaches could take place.

Third-party website exposes patients’ PHI

Last week the Redding, Calif.-based Mercy Medical Center Redding Oncology Clinic discovered that physician progress notes were publically accessible on a third-party website. The exposed information included patient names, medical record numbers, dates of birth, ages, dates of service, diagnoses, medications, review of systems, current therapies, and treatment plans,according to a letter from Michelle Kirby, Dignity Health Service Area Compliance Director. A copy of the letter was posted on the California Attorney General’s website.

Potentially affected patients received treatment at Mercy Medical from June to Oct. 2014. Social Security numbers and other financial information was not involved, according to the clinic.

“We sincerely regret this incident occurred and are taking appropriate measures to prevent any similar incident in the future, including continuing efforts to educate staff and physicians on securing medical information,” Kirby wrote.

Patients’ information is not believed to have been accessed inappropriately. However, Kirby suggested that patients contact one of the three major credit bureaus and place a fraud alert on their credit file.

It is not specified in the letter how many patients were potentially affected or on what type of website the PHI was exposed. Mercy Medical simply explained that “Upon discovery the third party removed the link from their website rendering the information no longer accessible.”

2,800 patients’ info on stolen Northwestern Memorial laptop

Northwestern Medicine Lake Forest Hospital, Northwestern Memorial Hospital and Northwestern Medical Group notified approximately 3,000 patients that their PHI was potentially compromised in October.

Northwestern learned on Oct. 21 that a password protected, unencrypted laptop containing patient information was inside an employee’s vehicle that was stolen on that same date,according to a facility statement on its website.

The laptop may have contained patients’ names, addresses, dates of birth, health insurance information, billing codes, date of services, physician’s name, medical record numbers, diagnosis, and treatment information. In a few cases, Social Security numbers might have also been compromised, Northwestern explained. However, credit card and bank account information were not included.

“We deeply regret any inconvenience this may cause you,” the statement read. “NMHC has a robust privacy and security program, including encryption of laptop computers. To help prevent something like this from happening again, NMHC is confirming and ensuring encryption of all laptop computers and reinforcing education with our staff on the importance of handling patients’ information securely.”

The facility added that there is no indication that the information on the laptop was maliciously used. However, notification letters were sent to potentially affected patients on Dec. 19, and individuals are urged to reach out to a dedicated call center if they have any questions or concerns.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks