- In March of 2017, Michigan-based McLaren Medical Group (MMG) learned its computer system had been accessed by an unauthorized party, leading to a health data breach, according to an MMG statement issued to HealthITSecurity.com.
The accessed system stored scanned documents including information related to authorizations, orders, appointment scheduling, and similar data. The breach occurred at MMG’s Mid-Michigan Physicians P.C. practice.
Scanned documents may have included patient information such as patient names, dates of birth, addresses, phone numbers, medical record numbers, diagnoses, and Social Security numbers.
The incident may have impacted the information of 106,008 individuals, according to the OCR data breach reporting tool.
MMG stated it launched an investigation into the incident and confirmed the information of at least seven patients were definitively accessed.
“The computer system that was accessed has been rebuilt and updated with added measures in place to protect patient information from similar activity in the future,” MMG explained.
MMG issued notices to current and previous patients at its Mid-Michigan Physicians P.C. practice on August 24, 2017. The medical group stated it is providing identity theft monitoring and protection services for patients who may have had their data exposed.
“MMG values patient privacy and remains committed to providing quality care,” the organization said. “Ongoing enhancements will be made to continually address and defend against cyber threats to our systems that affect patient privacy.”
Security upgrade gaffe potentially exposes information of 8.8K patients
Silver Cross Hospital recently announced a data security incident occurred with its website management vendor. Patient information may have been exposed in late November of 2016 during a software upgrade.
On June 14, 2017, Silver Cross discovered a security issue related to patient information managed by the vendor and immediately contacted the vendor to secure the exposed data and resolve the problem.
Following an investigation by a third-party forensic firm, Silver Cross learned the vendor had performed a software upgrade that may have reconfigured its security settings. Data in completed web forms was made available online.
“The incident was limited to the data hosted by the vendor, and Silver Cross’s own network and patient records systems were not affected,” Silver Cross said in its online statement.
Silver Cross maintained there is no evidence suggesting an unauthorized party has navigated any of the affected web forms or accessed any sensitive patient information.
Information potentially exposed online includes patient names, street addresses, telephone numbers, email addresses, dates of birth, IP addresses, marital status, race, provider information, and some patient Social Security numbers. Additionally, the health insurance numbers and mental or health condition or treatment information may have been included for some patients.
The information of 8,862 patients may have been exposed in the incident, according to the OCR data breach reporting tool.
“The hospital took steps to address this incident promptly after it was discovered, including by immediately contacting the vendor to disable potential unauthorized access to completed forms and hiring a computer forensics firm to launch a comprehensive investigation into the circumstances surrounding the incident,” Silver Cross stated. “Silver Cross is also working with the vendor to implement security reconfigurations and have retained experts to conduct a detailed assessment of its security practices.”
The hospital is also reviewing policies and performing additional security training to prevent similar incidents moving forward.
Silver Cross is offering 12 months of free credit monitoring to individuals who were impacted.