- Rhode Island-based The Neurology Foundation, Inc. (Foundation) recently announced that an employee had been making unauthorized PHI access. The employee had been using a company credit card to make unauthorized purchases, but it was discovered that the individual had also transferred certain Foundation data onto a hard drive stored in the employee’s home.
“The storage of Foundation data on external media is not permitted by the Foundation and the Foundation has since recovered the hard drive,” the organization said.
A third-party forensic investigation determined on May 25, 2017 that the same individual had also “transferred sensitive information onto his desktop, a hard drive, and several thumb drives.”
“The employee has been terminated and the Foundation has been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident, and to confirm the security of its systems,” the Foundation stated.
Potentially affected information includes patient names, addresses, phone numbers, email addresses, sex, race, dates of birth, Social Security numbers, medical diagnoses, treatments and medications, insurance policy numbers, bank account numbers, and/or medical record numbers.
The OCR data breach reporting tool states that 12,861 individuals may have been impacted.
There is not currently any indication that the information has been misused or attempted to be misused, the Foundation maintained. However, the organization is still providing free credit monitoring services to those who were possibly affected.
Security breach could affect 12K at hand rehabilitation clinic
Hand & Upper Extremity Centers, dba Hand Rehabilitation Specialists (HRS), recently reported that it may have been the victim of a security breach to its network.
The organization did not specify how it had possibly been infiltrated, just that it was informed of the incident on July 5, 2017.
“To date, law enforcement has found no evidence of any information leaving HRS’s system,” HRS said in a statement. “However, unauthorized access could not be ruled out, so out of an abundance of caution, HRS is providing notice to all individuals who could be potentially affected and providing protective services to those who choose to take advantage of the service.”
Patients and their financial guarantors seen from 2003 to 2014 may have been affected. Information involved may include patient names, dates of birth, addresses, phone numbers, Social Security numbers, dates of services, diagnoses, CPT (billing) codes, cost, amount of co-pays made by checks, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact information.
The OCR data breach reporting tool reports that 12,806 individuals may have been affected.
“Hand Rehabilitation Specialists notified all three consumer reporting bureaus, the applicable state and federal agencies, it is reviewing office policies and procedures, and it will continue work with law enforcement in its criminal investigation,” HRS reported.
FL group reports phishing scheme
The Florida Healthy Kids Corporation (Corporation), which is an administrator of the Florida KidCare program, announced that a phishing scheme may have impacted a group of Florida KidCare families.
The unauthorized access may have exposed some personal electronic data for a limited time, according to a Corporation release.
“On September 7, 2017, the Corporation notified approximately 1,700 individuals that its electronic mailboxes were victim to a ‘phishing’ scheme which left their personal data on file with the Corporation accessible to unauthorized persons or entities for a 24-hour period from July 25, 2017 to July 26, 2017,” the Corporation explained.
Nearly 300 other individuals may have been affected, but the Corporation said it did not have contact information for those parties.
The incident was discovered on July 27, 2017, and the Corporation immediately “shut down any unauthorized access to impacted email accounts and launched an investigation.”
Possibly affected data included names, addresses, telephone numbers, family account numbers, and Social Security numbers.
“Protection of personal information and privacy remains a top priority for the Corporation and the Florida KidCare program,” the statement read. “The Corporation has instituted changes to further enhance its policies and procedures to protect your privacy.”
Cybersecurity attack affects North Carolina hospital
North Carolina-based Morehead Memorial Hospital recently experienced a cybersecurity attack stemming from “fraudulent communications,” according to an online statement.
It was not specified when the incident took place, but that the unauthorized party was able to obtain login information giving the party access to two email accounts within the hospital.
“Promptly upon learning about these communications, steps were taken to address the incident,” Morehead stated. “Our IT staff cut off access to the affected accounts, issued a network-wide password reset, and engaged top-tier forensic consultants to conduct a full investigation.”
Certain former patient or employee information was in the accessed email accounts. The data may have included health insurance payment summaries, treatment overviews, health plan information, and in limited cases, Social Security numbers.
“To help prevent an attack like this from recurring, we are enhancing additional security measures to protect our systems, and we are providing additional training to our staff so that they are better prepared to identify potentially fraudulent communications,” Morehead said. “We have also created an internal web page to provide timely updates to employees as we become aware of phishing and email attacks.”
There has been no indication that the potentially compromised information was misused in any way, the hospital added. Even so, individuals were urged to regularly check their credit reports and explanation of benefits.
Morehead did not state how many individuals were possibly impacted.
AK DHS reports potential Medicaid data breach
The Arkansas Department of Human Services (DHS) recently announced that an inadvertent employee email resulted in a potential Medicaid data breach for some Medicaid beneficiaries.
An email with spreadsheets containing names of Medicaid beneficiaries, linked Medicaid identification numbers, some Social Security numbers, and codes for medical procedures that beneficiaries underwent was mailed to an employee’s home email address. This is considered a “breach of information as described in state and federal law and DHS policy,” DHS said in its online statement.
There were 26,044 unique names in the spreadsheets.
“We at DHS want to make sure beneficiaries are aware of this situation, understand what happened and know the steps we are taking to ensure something like this doesn’t happen again,” DHS Director Cindy Gillespie said in a statement. “The privacy of beneficiaries is important to us, and we take this situation very seriously.”
The incident was discovered when attorneys were preparing to represent DHS against a wrongful termination lawsuit.
“Gillespie noted that DHS employees undergo security and privacy training and cannot gain internet access at work until they pass a test on what they were taught,” DHS explained. “The training includes the prohibition of emailing confidential information outside the scope of a person’s job. DHS is working with attorneys to recover the spreadsheets and has contacted the Pulaski County Prosecuting Attorney’s office to pursue criminal charges and prosecution.”