- Pennsylvania-based Washington Health System (WHS) Greene recently announced that a missing external hard drive has created security breach concerns at the organization.
The device was for the Bone Densitometry machine and contained certain patient information, WHS stated. The hard drive was noticed to be missing from the Radiology department on October 11, 2017. Only patients who underwent bone density studies at WHS Greene from 2007 until October 11, 2017 may have been affected.
Patient names, height, weight, race, and gender information may have been included on the device, the organization said. Additionally, medical record numbers and health issues may have been included for some patients, but not all. Social Security and financial information were not involved.
WHS Greene added that there is no indication that an unauthorized individual is using patient information. It is also unlikely that the data is being misused because there is a limited amount of data involved, the organization said.
“Washington Health System Greene is committed to maintaining the privacy and security of patient information, including regular review and evaluation of the security of all processes in place,” WHS Green stated. “This unprecedented situation has our full attention and please be assured that we have taken and will continue to take steps to ensure that a breach of this nature will not happen in the future.”
The OCR data breach reporting tool states that 4,145 individuals may have been affected.
Improper binder disposal creates PHI privacy concern
A binder containing a log with certain patient PHI was mistakenly recycled on October 17, 2017, according to an NYU Langone Health statement.
Information related to presurgical insurance authorizations from NYU Langone Health Pediatric Surgery Associates was included in the binder.
The organization’s cleaning company reportedly recycled the binder, which contained certain data on approximately 2,000 patients. The information included names, dates of birth, dates of service, diagnosis codes, current procedural terminology codes, insurers’ names and identification numbers.
“Other short related comments, such as any insurance approval or denial information and inpatient or outpatient status” may also have been included, NYU Langone Health stated.
Potentially affected patients will receive one year of complimentary identity theft protection services, the organization added. However, NYU Langone Health said there is no indication the data has been misused.
“NYU Langone is committed to protecting the privacy and security of its patients’ health information and has taken steps to ensure that a similar incident will not occur,” the organization explained. “Staff was reeducated on the importance of safeguarding patient information and the practice updated their workflow to further protect such information.”
Cybersecurity attack impacts 1.7K at Austin Manual Therapy
Austin Manual Therapy said it learned on October 9, 2017 that there was unauthorized access to its system.
An investigation determined that “limited portions” of the system were accessed between October 3, 2017 and October 9, 2017. However, there is no evidence that “unauthorized activity” took place on the organization’s core EHR system.
“Despite conducting a comprehensive forensic analysis, we have very little evidence as to what documents or information the attacker was able to access or steal,” Austin Manual Therapy stated. “We know that the attacker was able to access one of our computers and a shared file system.”
The organization added that the cybersecurity attack may have led to patient names being accessed, along with one or more of the following: addresses, phone numbers, occupations, dates of birth, insurance policy information, insurance coverage and eligibility information, charge amounts, dates of service, driver’s license information, diagnosis, health screening information, referring physician information, and full or partial Social Security numbers.
OCR reports that 1,750 individuals may have been affected. Austin Manual said that most of those affected reside in Texas, although a few individuals reside in other states.
“While our investigation is substantially complete, it remains ongoing and will likely continue through the end of the year,” Austin Manual explained. “We also have implemented and are continuing to implement additional security measures designed to prevent a recurrence of this type of attack, to quickly identify unusual activity, and to further protect the privacy of your information.”
CA facility reports computer system compromised by ransomware
California-based Stanislaus County Behavioral Health and Recovery Services (BHRS) explained in a statement that it experienced a ransomware attack on December 12, 2017.
“The network has been shut down and isolated from the County-wide network while online services and communication are being provided by other means temporarily, and client care has continued,” read a Stanislaus County statement from December 15, 2017.
The statement added that Stanislaus County has previously mitigated ransomware attacks, but that “the particular techniques used in this attack were able to get past the security mechanisms that are in place.”
Stanislaus County explained that all BHRS locations are still able to see patients and that phone lines are working.
“All BHRS computers are being held in quarantine to prevent any further infection,” the statement read. “No breech of personal information has been detected at this time.”
Stanislaus County did not specify how many individuals may have had their information involved.
A Modesto Bee report states that hackers demanded about $65,000 in bitcoin ransom, but that the organization does not intend to pay the ransom.
The news source said that BHRS has more than 400 employees and provides services “for about 14,000 adults and children, including mental health services and help with overcoming addictions.”
Computer hard drive with patient data sold online
New Jersey-based Chilton Medical Center recently reported that an employee removed a computer hard drive and sold it on the internet.
The organization said it learned of the incident on October 31, 2017, and that the hard drive was sold earlier in the month. It was against Chilton Medical Center policy for the individual to remove the hard drive, the entity stated.
Only certain patients treated at Chilton Medical Center from May 1, 2008 to October 15, 2017 may have had their information affected. The organization did not state how many individuals though may have been impacted.
The hard drive may have included patients’ names, dates of birth, addresses, medical record numbers, allergies, and medications the patient may have received at Chilton Medical Center.
“During our investigation, we determined that the former employee removed other devices and assets from Chilton Medical Center to sell on the internet in violation of policy,” the statement explained. “While we currently have no indication that any of these devices or assets contain patient information, we continue to investigate this incident and, if we determine additional patients are affected, we will notify them as appropriate.”
Chilton Medical Center added that it has since enhanced its privacy processes and controls to prevent this type of incident from recurring.