- University of Michigan’s Michigan Medicine announced June 25 that around 870 patients were affected by a healthcare data breach that involved the theft of an unencrypted laptop with PHI from an employee’s car.
The theft occurred on June 3, and Michigan Medicine was notified on June 4. The employee’s car was broken into and his bag, which contained the laptop, was stolen. The laptop was password protected but not encrypted.
The laptop contained PHI that was collected for research, such as patient names, birthdates, medical record number, gender, race, diagnosis, and other treatment information. However, it did not contain patient addresses, phone numbers, Social Security numbers, payment card numbers, or bank account numbers, Michigan Medicine noted.
The employee violated company policy by storing the information on a personal unencrypted laptop, said Michigan Medicine.
“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter,” said Michigan Medicine Chief Compliance Officer Jeanne Strickland.
Michigan Medicine said it believes the risk of fraud is low, partly because the data on the laptop did not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft.
Dean Health Plan Says 1,311 Patients Got the Wrong Mail
Wisconsin-based Dean Health Plan has sent more than 1,300 patients letters in which the member name and primary care clinic were matched with the wrong address, according to a June 15 announcement emailed to HealthITSecurity.com.
Dean said that the letters contained only the member’s name and clinic and did not contain other personal, financial, or medical information. It blamed the mistake on a clerical error and has notified those affected.
The health plan said it was made aware of the mistake on June 7. It “immediately investigated and determined that the error was caused by a data file that had been incorrectly formatted.”
Dean notified OCR on June 15 that 1,311 individuals were affected by the data breach.
Florida Agency for Persons with Disabilities Suffers Phishing Attack
Florida Agency for Persons with Disabilities (APD) said one of its employees was the victim of a phishing email attack on April 10 that may have compromised PHI on 1,951 clients.
Information that was exposed included names, addresses, birth dates, health information, telephone numbers, and Social Security numbers. The agency said that it has no evidence that the information has been misused.
“APD takes this matter very seriously and has taken steps to protect personal information, including taking swift action to help prevent this type of event from happening again,” the agency stressed.
“On April 13, APD implemented a security upgrade to prevent unauthorized persons from gaining access to APD’s email system. APD will also be enacting additional training for staff members regarding appropriate email security protocols,” it added.
APD said it is providing free credit monitoring services to victims for one year.
21 Incidents Affecting 339,827 People Reported to OCR in June
For the month of June, there were 21 cyber incidents reported to OCR affecting 339,827 individuals (as of June 28, 2018).
Of those 21 incidents, ten involved a hacking/IT incident, nine involved unauthorized access/disclosure, and two were the result of theft.
The largest data breach in June involved Med Associates, a Latham, NY-based health billing company. Med Associates said that an unauthorized individual had access an employee’s workstation and determined that PHI on 270,000 people may have been exposed.
The second largest data breach this month involved Michigan-based health savings account provider HealthEquity, which said an unauthorized individual had hacked into an employee’s email account and had access to PHI on 16,000 individuals.
The third largest data breach in June impacted Missouri-based Black River Medical Center. In this incident, an employee’s email account was breached as the result of a phishing attack and PHI on 13,443 patients may have been accessed by the attackers.