- InterAct of Michigan reported to OCR on August 7 that an email hacking incident may have exposed PHI on 1,290 individuals.
In a statement on its website, InterAct explained that it became aware on June 8 that an unauthorized third party accessed a company email account.
The mental health and substance abuse treatment provider determined on July 30 that the email account contained clients’ names and Social Security numbers, and in some cases dates of birth, treatment history, and prescription data.
The provider terminated the account credentials and hired a forensic security firm to assist in the breach investigation.
InterAct sent letters on August 7 to impacted individuals informing them of the breach. It said it is offering free identity theft protection services, but it did not say for how long those services would be provided.
The provider said it is beefing up its email security, including creating a rule to disable forwarding to external e-mail addresses, reviewing logs on a weekly basis to identity any suspicious logins, and monitoring accounts for single user inbox rules.
Kaiser of Colorado Admits to Sending 900 Letters To Wrong People
Kaiser Foundation Health Plan of Colorado reported to OCR August 3 that a disclosure involving paper records may have compromised personal information on 900 individuals.
In a statement obtained by HealthITSecurity.com, Kaiser said that letters it mailed on May 29 were sent to the wrong people. The letters contained members' first and last names and primary care physicians.
Kaiser stressed that the letters did not contain sensitive financial data or health data, such as medical record number or medical diagnosis. It said that it is asking people who received the misdirected letters to destroy them.
“To reduce the likelihood of similar errors occurring in the future we have reviewed processes and procedures and implemented additional safeguards and quality checks to ensure future mailings of this type are accurate,” Kaiser’s statement said.
Oregon’s Lane County Loses Paper Medical Records on 715 Patients
Oregon-based Lane County Health and Human Services (H&HS) admitted July 24 that it lost 49 boxes containing medical records on 715 patients.
H&HS said it discovered on June 19 that the medical records of 566 patients of Community Health Centers of Lane County and 149 clients of Lane County Developmental Disabilities were missing.
Data contained in the records included patient medical histories, addresses, contact information, and Social Security numbers.
The records had been relocated by a moving company to a storage facility during the renovation of the Charnelton Clinic, but searches by H&HS staff failed to locate them.
“Analysis indicates the records may have been inadvertently destroyed as part of routine document management practice for non-medical records,” H&HS said in its release.
The agency sent notification letters to affected patients on July 24. It is offering to reimburse victims for six months of credit monitoring services.
“H&HS immediately began to review its policies and practices regarding records storage and is taking steps to protect against future incidents, including obtaining specialized, secure medical records storage services,” the release said.
MedSpring Cops to Email Breach Exposing Data on 13K Patient
Texas-based MedSpring Urgent Care reported to OCR on July 20 that an email hacking incident may have exposed PHI on 13,034 patients.
In a July 20 statement, MedSpring said that it discovered on May 17 that an employee fell victim to a phishing attack that compromised the employee’s email account.
After hiring a cybersecurity forensics firm to investigate the breach, MedSpring determined that the information that may have been accessed by an unauthorized third party included patients’ names, account numbers, medical record numbers, and dates and services relating to medical treatment.
MedSpring said it is providing free identity protection and fraud resolution services for one year to affected patients. It also is implementing security features designed to prevent future phishing scams.