- A healthcare ransomware attack allowed an unknown hacker to gain access to EMR software containing patient medical records, Jemison Internal Medicine, PC (JIM) announced on its website.
The Alabama-based practice said the virus encrypted its EMR software and that the attacker demanded a monetary payment. JIM did not pay the ransom and “removed the virus by reinstalling the operating system on its server and then restoring its patient records from backup copies.”
The system was accessed between September and December 2017, but the ransomware infected the EMR on December 20, 2017. There is no evidence showing that the hacker accessed the files on the EMR, but the possibility cannot be ruled out, JIM explained.
However, “subsequent scans of the practice’s computer system have shown no additional indications of the ransomware.”
Potentially accessed information includes patient names, addresses, telephone numbers, Social Security numbers, dates of birth, driver’s license numbers, treatment or procedure information, prescription information, and/or healthcare insurance information.
The organization stated it changed all passwords to access its system and disabled remote connectivity. Policies and procedures are being reviewed and JIM is “evaluating other steps to further strengthen the security of its patients’ information.”
JIM reported to OCR that 6,550 individuals may have been impacted.
NJ ShopRite reports data security incident from device disposal
A Millville, New Jersey ShopRite experienced a data breach when a device used to capture customer signatures at the pharmacy was inadvertently disposed of in June 2016, a Wakefern Food Corp statement explained.
Individuals’ names, phone numbers, dates of birth, prescription numbers, medication names, dates and times of pick-ups or deliveries, signatures, and zip codes may have been on the device.
“The ShopRite store is taking steps to prevent recurrence of similar incidents, including providing supplemental privacy and security training for pharmacy staff and strengthening security policies relating to the appropriate removal of data from, and disposal of, computers and devices.”
A similar incident was reported in November 2017, when a Kingston, New York ShopRite reported a data breach from inadvertent device disposal. The device also captured signatures at the pharmacy and was disposed of in February 2016.
The OCR data breach reporting tool stated 12,172 individuals may have been impacted by the New York incident.
Email error discloses certain patient data at MS hospital
A clerical input error caused information to be sent to a single email address, inadvertently disclosing certain patient data, Memorial Hospital at Gulfport announced online.
The Mississippi-based hospital said approximately 1,500 patients are being notified that their names and internal (Memorial) encounter numbers may have been involved. Financial information, Social Security numbers, diagnoses, symptoms, and other demographic information was not disclosed.
“The error was immediately corrected upon discovery,” the hospital said. “The information sent by email was encrypted and would require a unique password to open.”
It has not yet been confirmed whether the email address was operational or if the information sent was received.
Memorial President and CEO Gary G. Marchand maintained that the hospital will use its “best efforts to prevent any unintended disclosures in the future.”
Health plan data possibly exposed in Houston
A laptop stolen from a City of Houston employee on February 2, 2018 may have compromised the health plan information of other City employees, according to an online statement.
The laptop was password protected but may have contained records including names, addresses, dates of birth, Social Security numbers and other medical information.
The statement did not specify how many individuals may have been impacted.
“The City has reinforced strong measures already in place to protect against breaches,” the statement stressed. “HR professionals are trained not to remove laptops from City offices unless any sensitive data is encrypted.”
“Because one employee failed to follow his training, all employees authorized to work with group health plan data are being retrained to reinforce the prohibition against removing unencrypted data from the protections of City facilities,” the statement continued.
As of February 23, 2018 the laptop had not been found.
Complimentary credit monitoring and identity restoration services for one year will be offered to potentially affected individuals.
MO data security incident from mailing error
A clerical error impacting mailing labels on survey questionnaires led to a data security incident at the Missouri Department of Mental Health, the Department stated.
Personal information of 1,000 individuals may have been sent to the wrong addresses. Medical information and financial information were not involved, the Department said. Only participant names were sent to the wrong address.
The survey questionnaires were sent out on January 16, 2018, and the Department explained it is in the process of notifying those affected.