Healthcare Information Security

Latest Health Data Breaches News

Patient Privacy Violated Following Employee Theft in Oregon

Several healthcare data breaches were reported recently, including cases of unauthorized access, a mailing error, and a phishing scam.

By Elizabeth Snell

Oregon-based Northwest Primary Care (NWPC) recently notified approximately 5,300 patients that some of their personal information was inappropriately accessed by a former employee.

Patient privacy was violated in several healthcare data breaches

The patient privacy violation reportedly occurred when a former NWPC employee stole patient names, dates of birth, Social Security numbers, and credit card numbers.

NWPC explained in a statement that it was notified of the incident by local law enforcement on October 13, 2015, and that the theft took place between April 2013 and December 2013.

"Northwest Primary Care will not tolerate any violation of our patients' privacy," NWPC Administrator Michael Whitbeck said in the press release.  "The former employee in connection to this violation deliberately and criminally chose to violate established clinic policies, the trust of our patients and the law.  We deeply regret that this crime has occurred and for any burden that this incident may cause.  

Whitbeck added that this type of data security breach “is unacceptable,” and that NWPC will support the law enforcement investigation into the incident.

READ MORE: Mont. Facility Reports Healthcare Data Breach Affecting 28K

Additional changes will be made to NWPC’s approach to security, the organization explained. For example, it will expand its technology monitoring capabilities and employee training. Specifically, employee training “on safeguarding and accessing patient records to further bolster privacy safeguards.” Moreover, technical precautions will also be added, in an effort to better ensure patient privacy.

Several other healthcare data breaches were recently reported, including cases of unauthorized access, mailing error, and a phishing scam.

Centegra data breach affects nearly 3,000 individuals

Centegra Health System recently notified 2,929 patients that a mailing error may have exposed some of their personal information.

On November 2, at the vendor MedAssets, a setting on automatic mail filing equipment accidentally was changed, spokesperson Michelle Green told the Northwest Herald. This led to two Centegra billing statements to be put in one envelope.

READ MORE: Top 3 Health Data Breaches Impact Nearly 1.5M Individuals

“Centegra Health System and MedAssets apologize for this error and are committed to fully protecting patient privacy,” Green said. “Centegra is working closely with MedAssets to ensure it has taken every step necessary to address the incident.”

The medical bills reportedly included patient names, addresses, account numbers, original account balance, third-party payment, billing discounts and adjustments, and the amount owed. Hospital service dates, a summary of services provided and related charges were also included.

Affected medical bills were sent between Nov. 2 and Nov. 6., while MedAssets informed Centegra of the error on Nov. 10.

Green explained that even though 6,000 Centegra patients were affected by the error, half received two billing statements. One was for  their own hospital service, while the second detailed another patient’s service.

There is no reason to believe that the exposed information was inappropriately used, she said.

READ MORE: UCHealth Alerts Patients of Internal Healthcare Data Breach

1,400 patients affected by employee’s unauthorized access

A former PeaceHealth St. John Medical Center employee reportedly accessed patient information from a home computer using third-party websites, according to a PeaceHealth statement dated November 24. The individual also used insurance verification websites and prior authorization portals.

PeaceHealth added that an investigation shows that 595 individuals had their information accessed between June 15 and Oct. 12. However, the OCR breach reporting tool states that a breach submitted on Nov. 30 affected 1,407 individuals.

“In the course of the investigation, the former employee’s personal computer and other electronic information devices were obtained and reviewed by law enforcement officials, which should ensure that all PeaceHealth patient information has been secured,” PeaceHealth explained. “To help prevent future incidents such as this, we are enhancing processes to ensure former employees are not able to access third-party websites and portals under any circumstance.”

It is also important to note that while the majority of affected patients were treated at PeaceHealth St. John Medical Center, a “small number of patients” were treated at other PeaceHealth facilities in Oregon and Washington.

Stolen laptop leads to Pathways Professional data breach

A Pathways Professional Counseling employee’s laptop was stolen on September 24, 2015, potentially exposing 986 individuals’ information. The theft was discovered the very next day, and Pathways immediately notified local law enforcement.

The device was password protected, according to a company statement, but has not yet been recovered.

Exposed information may include an individual’s name combined with one or more of the following data elements: Social Security number, date of birth, address, treating physician name, diagnosis and clinical information, phone number, email address, demographic information, financial information, health insurance information, treatment information, and medication information.    

The data breach notification process was delayed because of a request by local law enforcement, Pathways explained.

The laptop’s network connection capabilities have been terminated, the employee’s access credentials were changed, and it was confirmed that the system has not been accessed by the device in question “since the employee’s last valid access the afternoon before the laptop was stolen.”

Phishing scam causes data breach at Connecticut facility

Connecticut-based Middlesex Hospital recently reported that four of its employees had fallen victim to a phishing scam.

The incident was discovered on October 9, 2015, and may affect 946 patients. Information potentially exposed includes names, addresses, dates of birth, medical record numbers, medications, dates of service, and/or diagnoses. Full medical records and Social Security numbers were not affected.

“All patients involved in the breach have been notified and are being offered free credit monitoring for one year, as a precaution,” Middlesex said in a statement. “The Hospital is taking all necessary steps to help prevent a similar occurrence in the future.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks