New Mexico Department of Health Data Breach Exposes Decedent Health Information

May 11, 2023 - The New Mexico Department of Health (DOH) reported a breach to HHS that impacted 49,000 individuals. The breach occurred when DOH discovered that a spreadsheet containing information about individual deaths in New Mexico had been sent to a journalist.

The journalist had requested information under the Inspection of Public Records Act, but the information that was sent included protected health information (PHI). Specifically, the spreadsheet contained PHI regarding every death in New Mexico from January 2020 to December 2021.

Notably, the information did not include names, birthdates, addresses, or contact information. DOH encouraged families to remain vigilant against any suspicious activity in the name of a recently deceased person in their family.

“We have taken steps to comply with all applicable state and federal laws,” the notice stated. “In addition, we are working to enhance policies and practices to elevate the protection of patient information in the future.”

Catholic Health Suffers Third-Party Data Breach

Long Island, New York-based Catholic Health disclosed a third-party data breach that stemmed from Minimum Data Set Consultants, LLC (MDS), a firm that provides consulting services to skilled nursing facilities.

The breach impacted some long-term care residents at Catholic Health. MDS discovered unusual activity within its electronic health records files in late March and immediately launched an investigation. The investigation determined that a former MDS employee had accessed the records on August 27, 2022 without authorization.

“While it is uncertain what accounts were actually breached, out of an abundance of caution, MDS and Catholic Health have notified all long term care residents who have protected health information (PHI) in the medical records system,” the notice stated.

The files contained names, demographic information, Social Security and Medicare numbers, diagnosis information, and dates of birth. Catholic Health said it had no indication that any of the information misused for the purposes of identity theft.

“Data privacy and security are among Catholic Health’s highest priorities,” the notice continued.

“The health system’s Information Security Office is conducting a thorough review of its application access and processes to prevent similar incidents from occurring in the future. MDS has also taken steps to ensure the individual suspected of this incident no longer has access to these records.”

ASAS Health Notifies 25K of Data Breach

Texas-based ASAS Health notified 25,527 individuals of a data breach that it discovered on March 9, 2023. ASAS Health discovered suspicious network activity and later determined that an unauthorized party had accessed its network.

Upon discovery, the practice immediately contacted cybersecurity experts and reported the incident to law enforcement. A variety of information was potentially involved, including names, dates of birth, Social Security numbers, disability codes, Medicare ID numbers, health plan carrier information, financial information, addresses, phone numbers, diagnoses, and driver’s license numbers.

ASAS Health could not “definitively determine whether and what information was actually accessed or subsequently compromised” but encouraged impacted individuals to remain vigilant and monitor accounts.

“To protect you and other patients from future breaches of personal, sensitive, and protected health information, we continue to refine our security protocols and maintain a robust information security system,” the notice stated.

“Additionally, we have sent this Notice to you along with the resources and services described below. ASAS Health will also fully cooperate with any law enforcement investigation.”