- Philadelphia-based Independence Blue Cross (IBC) announced Sept. 17 that PHI was uploaded by an employee to a website that was publicly accessible between April 23 and July 20, 2018.
KYW news radio reported that around 17,000 IBC customers were affected.
The information that may have been exposed included member name, date of birth, diagnosis codes, provider information, and other information used for claim processing purposes, such as claim number, referral number, and service dates.
A third-party forensics investigation firm was unable to determine if any information was accessed. However, the company is offering two years of free identity protection services to those affected.
“We reviewed company policies and procedures and implemented additional technical controls to help prevent future incidents of this kind,” IBC said in its notice.
MedCall Stores PII on 3K Individuals in Unsecured AWS Bucket
MedCall Healthcare Advisors stored personally identifiable information (PII) of nearly 3,000 individuals in an unsecured Amazon S3 storage bucket, according to the UpGuard Cyber Risk team.
MedCall is a emergency care medical service using communication technology to connect anyone experiencing a medical event with an emergency medicine physician.
“Included in the exposed 7 gigabyte datastore were PDF injury intake forms for 181 different business locations across America, with PII, descriptions of injury and sickness, and details about the patient’s employment and employer,” explained UpGuard Cyber Risk team in a blog post.
“Also present were recordings of phone calls between patients, Medcall operators, and doctors. Finally, a directory of comma separated values (CSV) files contained PII including full Social Security Number for nearly 3,000 individuals enrolled through Medcall’s services,” it related.
Ohio Living Says Email Hack Might Have Affected 6,510 Clients
Ohio Living, a Columbus-based retirement communities and healthcare services operator, reported to OCR Sept. 7 that an email hacking incident affected 6,510 individuals.
In a news release, Ohio Living explained that on July 19 it determined that there were unauthorized logins into some employee email accounts that could have exposed information on Ohio Living clients.
After an investigation by a computer forensics expert, Ohio Living determined information that might have been compromised included name, contact information, Social Security number, financial information, date of birth, medical record number, patient ID number, medical and/or clinical information, including diagnosis, treatment information, and health insurance.
In response to the incident, Ohio Living disabled the employee’s email account, changed the password, and notified other employees to watch for suspicious emails. It then implemented password resets for all employees and additional training for employees to prevent similar future incidents.
Ohio Living said it could not confirm whether any client's personal information was accessed, viewed, or acquired without permission. However, it decided to offer complimentary credit monitoring services to affected individuals.
Phishing Attack at Catholic Charities Exposed 565 Patients
New York-based Catholic Charities Neighborhood Services (CCNS) told OCR on Sept. 7 that an email hack exposed PHI on 565 individuals.
In a news release, CCNS said that on July 13 it discovered suspicious activity in an employee’s email account.
An investigation with third party forensics investigators found that an employee had received a spam phishing email and provided email credentials to an unauthorized actor, who then gained access to the CCNS employee email account on July 3.
The information that may have been accessed included patient name, date of birth, Social Security number, Medicaid ID number, diagnosis information, medications, date of admission/discharge, and/or hospital name.
CCNS said it did not have any evidence of misuse of this information. Nonetheless, it is providing complimentary credit monitoring and identity protection services to those affected.
St. Joseph's Medical Center Loses Disk Drives With Lab Results
California-based St. Joseph’s Medical Center reported to OCR on Aug. 31 that portable electronic devices containing PHI of 4,984 individuals were lost.
On its website, the hospital elaborated that lab chemistry tests performed at the facility in April 2018 were saved on two disk drives that were lost. Information on the disks included patient name, date of birth, nursing unit location, account number, gender, type of lab tests and results, and name of doctor who ordered the tests.
“There is no indication that the information has been accessed or used for any wrong purpose,” the hospital explained.
Although the information was not encrypted, the “hard drives used a highly specialized computer operating system, such that the information on the hard drives would not be easy to read or understand.”
St. Joseph’s Medical Center is part of the Dignity Health organization, which operates 39 hospitals and 400 ancillary care facilities in California, Arizona, and Nevada.