Improper Hard Drive Disposal Leads to Health Data Breach for 100K

September 21, 2021 - HealthReach Community Health Centers in Waterville, Maine, began notifying over 100,000 patients of a health data breach that resulted from improper disposal of hard drives. The hard drives were improperly disposed of by an employee at a third-party data storage facility, according to a statement shared with the Maine attorney general’s office.

The incident occurred on April 7 and HealthReach discovered the breach on May 7. Further investigation determined that some personally identifiable information (PII) and protected health information (PHI) of patients was involved. The information at risk includes names, addresses, birth dates, Social Security numbers, medical insurance information, lab results, medical record numbers, and treatment records.

The health center stated in the notice that it has no evidence that any information was misused as a result of the breach.

“We are working with cybersecurity counsel to determine the actions to take in response to the incident,” the statement explained.

“Together, we continue to investigate and closely monitor the situation. Further, we are taking steps to prevent a similar event from occurring again in the future, including ensuring our data storage vendors re-train employees and comply with the required safeguards as to the disposal of sensitive information.”

Impacted patients can enroll in complimentary identity theft protection services that include 12 months of credit monitoring, a $1 million insurance reimbursement policy, and identity theft recovery services.

“At this time, we are not aware of anyone experiencing fraud as a result of this incident. We encourage you to remain vigilant, monitor your accounts, and immediately report any suspicious activity or suspected misuse of your personal information,” the statement continued.

Ransomware attacks are on the rise across the healthcare sector, but there are other ways data can be breached. Improper disposal and employee misuse of data can be equally damaging.

Employee email misuse led to compromised PHI at two health clinics in Florida and California recently. Collectively, the breaches impacted over 50,000 individuals.

A breach at South Florida Community Care Network, also known as Community Care Plan, began notifying patients of a breach after it discovered an employee sending internal documents containing PHI to their personal email address.

The information included names, birth dates, addresses, diagnoses, primary care physician information, and member identification numbers.

Similarly, the California Department of State Hospitals (DSH) announced that an employee at Coalinga State hospital had improperly given confidential patient information to the US District Court, Eastern District of California three times between 2013 and 2019.

The employee gave the court patient rosters containing names, case numbers, birth dates, admission dates, and legal commitments. While it is not illegal to provide this information to the court for public benefit, it is against state and federal privacy laws to provide PHI about patients who had never filed a lawsuit with the court.

As breaches become more common, organizations must be aware of any gaps in data security that could leave them vulnerable to cyberattacks and negligent misuse of data. Bad actors are an obvious threat, but improper disposal and poor cyber hygiene can be equally detrimental.