- On May 5, 2017, Tampa Bay Surgery Center was made aware of a security incident in which certain patient data was posted to a public online file-sharing site by an unauthorized third party.
Law enforcement informed the healthcare center that the information was posted the day prior. A Twitter user claiming to be the unauthorized party had obtained the file and included a link to the file on the public forum.
The file has since been removed from the site, and the healthcare center’s investigation into the incident is presently ongoing.
According to the OCR data breach reporting tool, the information of 25,848 patients was potentially exposed in the incident.
Possibly exposed information included patient names, addresses, dates of birth, and Social Security Numbers.
Tampa Bay Surgery Center stated there is currently no reason to suspect any information has been misused. Additionally, no medical or procedure information was posted online.
The healthcare center has issued letters to potentially impacted patients providing guidance on how to protect their information following the incident. Tampa Bay Surgery Center is also providing free identity theft protection services to affected individuals.
“The company has made and continues to make changes to processes and procedures to help prevent a similar occurrence from happening again,” stated the healthcare center in a posted notice.
Ransomware attack potentially exposes PHI of 10K
PVHS-ICM Employee Health and Wellness, LLC recently informed its members of a ransomware attack that potentially threatened the safety of patient PHI.
On May 4, 2017, PVHS-ICM discovered that a server at its UC Health Walk-In Clinic containing patient health records had been infected with ransomware.
The server contained patient information including names, Social Security numbers, and medical information for individuals seen at the clinic before September 23, 2014.
The information of 10,143 individuals was potentially impacted by the incident, according to the OCR data breach reporting tool.
Upon discovering the ransomware infection, PVHS-ICM immediately launched an investigation and hired an independent computer forensic expert to assess the extent of the damage.
Through its investigation, the health and wellness group determined an unauthorized user had hacked the server. However, PVHS-ICM stated there exists no evidence to suggest the information has been accessed or removed from the server.
The health and wellness group notified potentially impacted individuals of the incident. The organization stated the server did not contain any patient financial information and was not connected to any other computer systems.
Additionally, the server did not contain any information more recent than September of 2014.
As a result of the incident, the organization is offering one year of free identity theft protection services to all potentially impacted patients.
“We want to assure you that we are taking steps to prevent this kind of event from happening in the future, including taking the server offline, creating an encrypted backup of the information on the server, and storing the backup in a secure location,” said the statement, which was signed by PVHS-ICM Manager James Sprowell, MD.
Health IT company suffers employee email account hack
On May 3, 2017, the Information Technology Security Team at Community Link, Inc. discovered evidence that an unauthorized individual had gained access to an employee’s email accounts.
Community Link immediately locked down the email account and launched an investigation into the incident. Through its investigation, the company learned the incident likely occurred between 9:49 am and 1:52 pm on May 3, 2017.
Information contained in the email account included a limited number of member information such as name and Social Security number.
The information of approximately 5,524 members may have been involved in the incident, according to the OCR data breach reporting tool.
Community Link stated there is no evidence to suggest any members’ information has been accessed or misused in any way.
The company issued notices to all potentially impacted members informing them of the incident. Additionally, Community Link established a call center to answer any questions concerned members may have regarding the safety of their information.
“To help prevent something like this from happening in the future, we have implemented additional security measures for the access of email and use of mobile devices, requiring additional password protection on spreadsheets containing protected health information and conducting refresher training with staff on privacy and security policies and procedures,” Community Link said in its statement.
Potential data breach at Detroit health system impacts 1.5K
The Detroit Medical Center recently became aware of a potential data breach involving the PHI of approximately 1,529 patients that had visited one of its facilities between March of 2015 and May of 2016.
The health system stated a third-party staffing agency informed hospital officials that one of its employees had provided patient information to an unauthorized party not affiliated with Detroit Medical Center, according to a Detroit Free Press report.
The breach potentially involved the health records of patients from all of the health system’s facilities including Children’s Hospital of Michigan, Detroit Receiving Hospital, and others.
In response to the incident, the health system enlisted the help of law enforcement to conduct an investigation that is still ongoing.
Additionally, Detroit Medical Center has issued letters notifying all potentially impacted patients of the breach.
"Keeping medical data and hospital networks safe from unauthorized access is one of the biggest security threats facing the industry,” Chief Security Communications Officer for the Kromtech Security Research Center told the news source.
The health system is offering free credit monitoring services to all patients concerned about the safety of their information.
The Detroit Medical Center added it intends to implement changes to patient health data monitoring programs to prevent similar events in the future.
Atlanta clinic ransomware attack targets patient data
Atlanta, Georgia-based Peachtree Neurological Clinic recently informed patients of a ransomware attack infecting its computer system that may have impacted patient information.
Hackers demanded payment from Peachtree in exchange for access and decryption of the impacted files. Peachtree refused to pay the ransom and instead restored the lost files through backup records.
An investigation into the incident showed no additional evidence of ransomware or any residual impact to data not contained within the initially affected system.
However, the investigation did show the computer system had previously been accessed without its knowledge between February of 2016 and May of 2017.
Peachtree has not specified which patient EHRs were accessed in the incident but stated patient names, addresses, phone numbers, Social Security numbers, dates of birth, driver’s license numbers, treatment and procedure information, prescription information, and health insurance information were all contained within the impacted computer system.
The clinic has alerted all potentially impacted patients of the breach and extended an offer for free identity theft protection services. Peachtree has also notified law enforcement.
“We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected,” said Managing Partner of PNC Lawrence Seiden, M.D.
Additionally, Peachtree has set up a call center to answer any questions concerned patients may have regarding the status of their information.
The clinic has not revealed how many patients were impacted by the breach.
Another Peachtree facility—Peachtree Orthopedics—previously suffered a cyberattack on September 22, 2016 in which an unauthorized individual gained entry into its computer system.
An investigation found patient names, home addresses, email addresses, and dates of birth were potentially stolen during the incident. Additionally, some patient prescription records and Social Security numbers may also have been accessed during the 2016 breach.