- Onco360 and CareMed Specialty Pharmacy are notifying patients that a data security incident stemming from unauthorized access to employee email accounts may have involved their health information.
Suspicious activity on an employee’s email account was first discovered on November 14, 2017, Onco360 said in an online statement. An investigation determined on November 30 that three employee email accounts had been accessed.
The company said that it determined on January 8, 2018 that some of the emails may have contained demographic information, medication and clinical information, health insurance information and Social Security numbers. The financial account information of a few individuals may also have been involved.
The OCR data breach reporting tool states that 53,173 individuals may have been affected.
“Prompt measures were taken to address this incident, including changing email account passwords, providing additional training to employees on recognizing suspicious emails, implementing additional measures to further enhance e-mail security and reporting the incident to law enforcement,” Onco360 stated, adding that affected individuals will be offered complimentary credit monitoring and identity protection services.
“Although there is no indication that any of the information has been misused and even if risk of misuse may be low, as a precaution, affected individuals should carefully monitor their credit reports and billing statements for any unauthorized activity in the upcoming months,” the organization explained.
Palomar Health employee accesses medical records outside of duties
California-based Palomar Health announced that a former employee accessed patient information without authorization sometime between February 10, 2016 and May 7, 2017.
The accessed electronic health medical records may have included first and last names, dates of birth, gender, medical record numbers, diagnoses/reasons for visit, Palomar treatment locations, medications, and allergies.
However, credit card information, financial information, and Social Security numbers were not accessed.
“To prevent future incidents of this nature, increased audits of access to health records are being implemented and additional awareness/ training has been and continues to be provided to all employees to ensure patient privacy procedures are strictly followed,” Palomar Health stated.
The organization added that “only a small percentage of all Palomar Health patients” were affected and there is no indication that any data was “compromised, transferred, or viewed outside of the Palomar Health electronic medical record system.”
NBC San Diego reported that 1,309 patients may have been impacted.
Stolen university laptop possibly contained student health information
Montana State University Billings (MSUB) reported to the Montana Attorney General’s office that a theft may have impacted the personal information of students.
MSUB said in its notification letter it learned on November 11, 2017 that certain items, including an athletic department laptop, were stolen from an employee’s vehicle while the individual was traveling.
An investigation found that names, health insurance information, dates of birth, Social Security numbers, and limited health information may have been on the laptop.
MSUB did not state how many individuals were potentially affected, and did not specify if the laptop was encrypted or password protected.
There is no indication that any data was misused, but MSUB said it will still be offering potentially affected individuals complimentary identity protection services for one year.
“To help prevent something like this from happening in the future, we are moving toward full encryption of laptops for employees who travel and reinforcing current policies regarding protecting university assets while traveling,” read the letter, which was signed by Athletic Director Krista Montague.
Health system wards off attempted cybersecurity attack
Mississippi-based Singing River Health Systems was able to thwart an attempted cybersecurity attack earlier this week, according to multiple news reports.
“Late last night our Information Systems Team detected an attempted attack and immediately activated our security protocols,” Chief Operating Officer and Interim CEO Lee Bond said in a statement. “Out of an abundance of caution we shut down our networks entirely so that we could isolate the problem and reboot our system.”
“We are still evaluating what occurred but have detected no compromises of Protected Health Information or patient data in this attempt,” Bond continued.
The health system’s clinical teams are trained for downtime procedures so there will be no interruption in patient care, he added. There were still “a few inevitable delays that system downtime creates,” Bond said.
Singing River reportedly expected to return to regular operations soon.