- The University of Michigan’s Michigan Medicine reported to OCR on Sept. 28 that there was an unauthorized access/disclosure of paper records that affected 3,624 individuals.
In a press release, Michigan Medicine said that there was a mailing error that may have exposed patient names and contact information.
On Sept. 4, Michigan Medicine discovered fundraising letters being sent to patients were incorrectly processed by the vendor, which resulted in letters being mailed to the wrong address.
Michigan Medicine said that the letters contained patient name, address phone number, and/or email address. It stressed that no Social Security information, credit or debt card numbers, or bank accounts were exposed because of the error.
This is Michigan Medicine’s second data breach reported to OCR this year. The first one, announced in June, involved the theft of an unencrypted laptop with PHI, affecting around 870 patients.
The laptop contained PHI that was collected for research, including patient names, birthdates, medical record numbers, gender, race, diagnoses, and other treatment information. However, it did not contain patient addresses, phone numbers, Social Security numbers, payment card numbers, or bank account numbers.
Tillamook Chiropractic Cops to 2-Year Data Breach Affecting 4K
Oregon-based Tillamook Chiropractic Clinic discovered on Aug. 3 that a computer network breach had occurred at its offices more than two years earlier, resulting in the theft of 4,058 patient records, according to DataBreaches.net.
Attackers used malware installed on the primary insurance billing system on May 24, 2016, to steal patient records, including patient names, diagnoses, lab results, medications, home addresses, work addresses, phone numbers, drivers’ licenses, dates of birth, social security numbers for Medicare patients only, insurance billing information, bank routing numbers and account numbers, and employee payroll data.
In response to the breach, Tillamook Chiropractic Clinic has modernized and upgraded its systems, updated its policies, and notified affected individuals.
Rebound Orthopedics Email Hack Puts PHI on 2,800 Patients at Risk
Washington-based Rebound Orthopedics and Neurosurgery said that an email hack may have exposed Social Security numbers and health information on 2,800 patients, reported The Columbian newspaper.
Rebound explained that on May 22 a hacker broke into an employee’s email account and accessed patient names, dates of birth, social security numbers, drivers’ license numbers, financial account information, and limited health information.
Rebound said it was providing free identity theft protection and credit monitoring services to those impacted by the breach.
The clinic said it is providing employee training and testing, enabling dual-factor authentication, and implementing forced email password change policy to prevent future incidents.
MedCall Exposes Data on 10K Customers Through Leaky AWS Bucket
MedCall Healthcare Advisors has suffered another data breach in less than a month from a leaky Amazon S3 storage bucket, reported DataBreaches.net.
MedCall is an emergency care medical service using communication technology to connect anyone experiencing a medical event with an emergency medicine physician.
Information on around 10,000 MedCall customers was available for anyone to download, delete, or edit, discovered security researcher Britton White. Information exposed included patient’s name, email address, postal address, phone number, gender, date of birth, and Social Security number.
Also exposed were recordings of patient evaluations/conversations with doctors, and records completed by doctors following patient or injured employee contacts, which contained information on medications, allergies, and the nature and detail of their complaint.
In the previous breach, PII on nearly 3,000 customers was stored in an unsecured Amazon S3 storage bucket.
Billing Printing Error Compromises 206 Jackson Hospital Patients
Florida-based Jackson Hospital said that 206 patients were affected by a data breach caused by a billing printing error, the Jackson County Floridian reported.
Information bled from one page of the patient billing statements to the back of another statement page sent to others in the billing cycle. Healthcare Resource Group (HRG), the service provider who handled the billing, informed the hospital about the problem in mid-August.
The exposed information included names, addresses, and a description of services rendered, but did not include Social Security numbers, birthdates, or medical conditions, according to the report.
“Patients were notified in a written letter from the third-party provider, HRG, with details about the matter,” said Jackson Hospital Director of Public Relations and Marketing Amy Milton in a statement.
“Following the HIPAA notification process, the patients have been alerted about the personal information that had been released … Steps have been taken by HRG to improve processes and prevent future printing errors,” Milton added.
Mailing Error Puts Data on Lincoln Pulmonary Patients at Risk
Pulse System, a Missouri-based medical billing company, reported to OCR on Sept. 19 that an unauthorized disclosure of paper records affected 722 individuals.
Patient names and procedure information were mixed up on statements sent after July 27, the Lincoln Journal Star reported. The error impacted patients from Lincoln Pulmonary and Critical Care, although it was not clear if all the 722 individuals were Lincoln patients, the newspaper said.
Pulse Systems said it had taken steps to address the problem and update its technology. Those affected were notified by letter.