- Henry Ford Health System experienced a PHI data breach after an unauthorized individual gained access to or stole a group of employees’ email accounts, according to an online statement from the organization. Henry Ford said it is notifying the 18,470 patients who may have had their information exposed.
The organization learned of the incident on October 3, 2017, and said that employee email credentials are name and password protected by encryption. However, the individual(s) would have been able to access employee email accounts with the email credentials.
Possibly affected information includes patient names, dates of birth, medical record numbers, provider names, dates of service, department names, locations, medical conditions and health insurers. Social Security numbers and credit card information were not involved.
Henry Ford said it is strengthening its security protections for employees, and that staff members “will be educated about this measure in the coming weeks.”
“In addition, we are expediting our initiatives around email retention and multi-factor authentication, which will decrease future risks to our patients and employees,” Henry Ford stated. “To provide protection to our patients, new medical record numbers will be issued upon request.”
MA facility reports likely ransomware attack
Sports Medicine & Rehabilitation Therapy of Malden and Reading, Massachusetts is in the process of notifying patients that the facility collected data on prior to December 31, 2016 that there was a breach of patient data.
While the Sports Medicine online statement does not specifically say it experienced a ransomware attack, it did report that “hackers attempted to extort money to keep the breach from becoming public.” The FBI and Homeland Security also investigated the incident.
“We applied for [the FBI and Homeland Security] report through the Freedom of Information Act, but have not yet received a copy,” the statement read. “We have no reason to believe that the data has been or will be used for further nefarious purposes.”
The statement also did not say what information may have been impacted, but it did say “there was no financial information on file and Social Security numbers were not recorded after 2011.” Every patient record did include an insurance identification number and a diagnostic code.
The OCR data breach reporting tool reports that 7,000 individuals may have been impacted.
Sports Medicine said its systems will continue to be monitored and that it has enhanced its systems with advanced firewall technology.
Ransomware attack affects CCRM Minneapolis, P.C.
Minnesota fertility clinic CCRM Minneapolis, P.C. recently announced on its website that it discovered on October 3, 2017 that its servers had been affected by a ransomware attack.
There is currently no indication that any patient data was accessed, viewed, or misused, but the facility said it is still working to notify potentially impacted patients.
Information involved in the ransomware attack include names, addresses, phone numbers, dates of birth, email addresses, Social Security numbers, driver’s licenses, insurance identification numbers and medical records.
OCR shows on its data breach reporting tool that 3,300 individuals were possibly affected.
“Although there is no evidence that the unauthorized third party accessed any information and we are not aware of any misuse of patient information, we take the privacy and security of patient information very seriously, and have taken steps to prevent a similar event from occurring in the future,” CCRM said.
NJ org reports unauthorized removal of paper records
Otolaryngology Associates of Central NJ (OACNJ) recently reported that there was an unauthorized removal of 13 boxes of paper medical records.
The boxes were being stored at a locked, off-site storage facility that is used to store hard copy medical records of patients who are no longer in active OACNJ treatment.
Law enforcement notified OACNJ of the incident on September 12, 2013, according to the online statement.
“The boxes were impermissibly removed by an unauthorized individual who attempted to sell them to a third party,” OACNJ said. “The third party promptly contacted Homeland Security and turned over the boxes received. The unauthorized individual has been apprehended by law enforcement.”
Patient full names and addresses were included in the boxes. Telephone numbers, health plan account numbers, dates of birth, dates of service, and name/status of treating physician, for an unknown date range may also have been included. Social Security numbers and/or driver’s license numbers may also have been involved for some patients.
The OCR data breach reporting tool states that 1,551 individuals may have been impacted.
“Upon learning of the incident, OACNJ immediately began its own investigation to determine which patients’ records were involved,” the statement read. “OACNJ has also taken steps to prevent future security incidents involving stored patient records.”
Phishing attack creates data security incident at PA org
Pennsylvania-based UPMC Susquehanna explained on its website that a phishing attack may have led to the information of 1,200 patients being accessed.
An employee reported suspicious activity to IT staff on September 21, 2017. An internal investigation revealed that patient names, dates of birth, contact information and Social Security numbers may have been involved.
“UPMC Susquehanna took immediate corrective action with the staff members involved, including intensive re-training on the applicable policies and laws,” the statement explained. “In addition, UPMC Susquehanna has completed a comprehensive review of current procedures for keeping patient information secure.”
“Current procedures include a combination of staff education, employment screening and other industry best practices,” the organization continued. “UPMC Susquehanna requires every staff member to participate in privacy/confidentiality annual education.”
UPMC Susquehanna Privacy Officer David Samar said in a statement that patient care was never affected by the incident, but that UPMC Susquehanna cannot confirm if the information was used for “improper purposes.”