Oregon Health System Uncovers 9-Year HIPAA Violation by Physician

March 13, 2023 - Asante, an Oregon-based health system, has informed patients about a HIPAA violation caused by a physician who compromised protected health information (PHI) without a valid clinical need. For nearly nine years, the employee inappropriately accessed over 8,834 patient records.

Although the employee had access to EHRs as part of his job, Asante discovered that the physician accessed patient records unrelated to his work, also known as EHR snooping.

“A concern was raised that a doctor with admitting privileges at Asante, Dr. Paul Hoffman, may have accessed a number of patients’ records without a valid clinical need,” Asante stated in a breach notification. “Dr. Hoffman is not an employee of Asante but had access to Asante’s electronic health record system in order to treat his patients when they are seen at Asante facilities.”

After Asante detected the unauthorized access, an investigation was launched, revealing that it occurred between June 12, 2014, and January 3, 2023. The impacted information may have included patients’ names, demographic data, and diagnostic and treatment information. However, Hoffman could not access patients’ full Social Security numbers, driver’s license numbers, or payment card or bank account information.

Asante stated that there is no reason to suspect that the unauthorized access of PHI was for fraudulent purposes but out of curiosity. Furthermore, the organization reassured patients that they do not need to take additional steps and that this incident does not increase their identity theft risk.

READ MORE: HHS Restructures OCR to Better Handle Increased HIPAA Complaint Volume

As a result of Asante’s investigation, Dr. Hoffman’s access to EHR records was promptly terminated, and Asante reported his conduct to the Oregon Medical Board.

Boston Community Health Center Faces Ransomware Attack, 10K Impacted

Codman Square Health Center provided notice of a ransomware attack that potentially exposed the PHI of 10,161 patients.

On November 28, 2022, Codman, a non-profit healthcare center located in the Dorchester neighborhood of Boston, reported that ransomware had encrypted their healthcare records

Further investigation revealed that between November 23, 2022, and November 27, 2022, an unknown actor gained access to certain parts of the network. Certain files were viewed and possibly stolen from the network during this period, including names, addresses, dates of birth, medical record numbers, diagnoses, other treatment information, and claims data.

On January 25, 2023, Codman discovered that certain health information was in a folder subject to unauthorized access. Although it is unclear if the information was viewed without authorization, the organization said it is giving notice as there is a possibility that the health information may have been accessed.

READ MORE: Banner Health Pays $1.25M to Resolve HIPAA Security Rule Investigation

“Codman takes the confidentiality, privacy, and security of information in its care seriously,” Codman stated in the data security notification. “Upon discovery of the incident, we immediately commenced an investigation to determine the nature and scope of the event, took steps to implement additional safeguards, and are reviewing our policies and procedures relating to data privacy and security.”

Michigan Surgical Group Discloses Hacking Incident, 15K Impacted

Northeast Surgical Group (NESG) issued a data breach notification regarding a hacking incident that impacted 15,298 individuals.

On January 8, 2023, the practice discovered suspicious activity within its network environment, prompting the engagement of third-party cybersecurity consultants for a forensic investigation.

NESG became aware of a cybersecurity incident on that date but could not determine the extent of the impacted data until February 13, 2023, when the investigation was completed. The third-party security team that NESG consulted concluded that certain personal information was inappropriately accessed, including patient name, address, Social Security number, and, in some cases, date of birth and medical and treatment information

“Data security is one of our highest priorities,” NESG officials wrote in a public statement. “Upon detecting this incident, we moved quickly to initiate a response, which included retaining a leading forensic investigation firm who assisted in conducting an investigation along with the assistance of leading IT specialists to confirm the security of our network environment. We have also deployed additional monitoring tools and will continue to enhance the security of our systems.”

READ MORE: How to Properly Dispose of Paper Medical Records, Physical PHI Under HIPAA

The Michigan-based surgical group will provide impacted individuals with 12 months of identity monitoring services. Affected individuals should remain vigilant and review account statements, NESG recommended.

Hacking and IT incidents continue to impact the healthcare sector and are responsible for most healthcare data breaches.

Fortified Health Security’s “2023 Horizon Report” has revealed that nearly 80 percent of healthcare data breaches reported to the HHS Office for Civil Rights (OCR) in 2022 were due to hacking and IT incidents. This is a significant increase of 45 percent from five years ago, emphasizing the necessity of improving cybersecurity measures in the healthcare industry.