- Kentucky Counseling Center recently notified 16,440 patients that an employee potentially exfiltrated a list of their data that was later shared with a former staff member.
According to the notification, a former employee notified KCC that they received an email containing a list of patients. Officials said they launched an investigation and determined that the breach was likely caused by a staff member taking the patient list without authorization from the computer system on December 6.
Further, officials said they believe the same employee used an anonymous internet file sharing service to share the list with the former staff member. The individual responsible for the exfiltration is no longer with the provider.
The stolen list contained patient names, Social Security numbers, dates of birth, emails, phone numbers, marital and employment status, and insurance details. The compromised data did not include any clinical information outside of the dates of service and or the next appointment. And for some, the names of KCC clinicians involved with a patient’s care were listed. All patients will receive a year of free credit monitoring.
Since the security incident, officials said they’ve strengthened password requirements and added multi-factor authentication to its system.
Potential Rocky Boy Health Medical Records Breach
Montana-based Rocky Boy Health is notifying patients of a break-in at the provider’s office that potentially breached their medical records.
CEO Jessica WindyBoy discovered robbers forcibly removed the padlock from an office containing medical records on January 16. The potential breach occurred about two days prior. Officials said they immediately removed the records and brought the files to the main office for further investigation.
The files contained dental and x-ray records dating back to 1991, including full names, dates of birth, Social Security numbers, and diagnosis codes. Officials contacted police and filed a report.
To avoid another breach, those records have since been scanned into the electronic health records system and shredded by a HIPAA-compliant company.
The data of nearly 1 million University of Washington Medicine patients was exposed online for three weeks, due to an employee error when configuring the database in December. Officials had to work with Google over the course of a month to remove saved versions of patient files and to prevent them from showing up in search results.
Several UConn Health employees fell victim to phishing attacks in late 2018, which potentially breached the data of 326,000 patients. About 1,500 Social Security numbers were breached, as well.