- Memphis-based Sacred Heart Rehabilitation Center recently began notifying patients that their personal data was potentially breached due to a phishing attack.
Officials discovered the hacker gained access to an employee email account between April 5 and April 7, 2018. However, notification letters weren’t sent until January 7, 2019, and officials did not explain when the breach was discovered.
The investigation into the breach concluded in November, which found patient data was contained in the compromised email account. The breached data included patient names, Social Security numbers, health insurance information, treatment details, diagnoses, and addresses.
Sacred Heart has since increased its security, and employees have been given additional security awareness training.
Currently, the breach is not listed on the Department of Health and Human Services’ Office for Civil Rights breach reporting tool, so it’s unknown how many patients were affected. All patients are being offered a year of free credit monitoring.
Improper Patient Records’ Disposal at Hanger Clinic in Florida
Patients who received care at the Hanger Clinic in Florida, specifically at the Patient Care Center in Fort Walton Beach, are being notified that their patient records were found at the home of the ex-spouse of a former employee of the clinic.
The ex-spouse discovered the box of patient records stored among boxes of his own records in his home. The individual promptly returned the box to the Hanger Clinic.
It’s believed these patient records had been stored at the home beginning in 2009 and 2014, when the employee stopped working at the clinic. The records contained data of patients who received care at Hanger Clinic in 2009.
The individual attested and signed that he did not access the box contents, other than to assess what the box contained. As a result, officials said they don’t believe the records were further used or improperly disclosed.
“As a precaution, we recommend that affected individuals regularly review the explanation of benefits statement received from his or her health insurer,” officials said in a statement. “If the individual identifies services listed on the explanation of benefits that the individual did not receive, the individual should immediately contact his or her insurer.”
“We deeply regret any inconvenience this may cause affected individuals,” they added. “To help prevent a reoccurrence of this type of incident in the future, we are conducting a thorough review of our policies and procedures.”