- Two separate PHI data breaches at facilities in Arkansas and Oklahoma potentially compromised the information of approximately 5,700 individuals. While the two incidents were caused by different issues, they both further underline the importance of why healthcare organizations need to have comprehensive and current approaches to health data security.
Unsecured email leads to PHI data breach
Arkansas-based Nephropathology Associates, PLC (Nephropath) reported that one of its employees sent an unsecured email to a vendor that included PHI and de-identified information. Even though the vendor in question was the intended email recipient, Nephropath stated in a letter posted to its website that the PHI should not have been included.
The disclosure was discovered on August 19, 2015, and Nephropath explained that the vendor was notified as well and told to destroy all copies of the information. Potentially exposed information includes data on patients who were treated by the facility between 2000 and 2008. The data-set reportedly included first and last names, patients’ ages at the time of treatment, Nephropath accession numbers, referring physicians, and pathology diagnoses.
However, addresses, financial information, and Social Security numbers were not included, the facility said.
“As a result of this incident Nephropath is reviewing its policies and procedures to protect against future incidents of this nature,” stated the letter, which was signed by Practice Coordinator and Compliance Officer C. Aaron Nichols, MHSA, CMPE. “As part of this process we will be providing additional training to our workforce and the responsible employee.”
The Nephropath data breach report sent to the Department of Human Services (HHS) Office for Civil Rights (OCR) stated that 1,260 individuals were affected by the incident.
Nephropath added that the vendor sent written assurance that the information was destroyed and not sent to anyone else. Moreover, there is no reason to believe that any physical or digital copies were kept by any parties, Nephropath said.
Cybersecurity attack affects 4,500 home care patients
A cybersecurity attack reportedly compromised the PHI of 4,500 patients at Indian Territory Home Health and Hospice, LLC, DBA "Aspire Home Care and Hospice."
The attack took place on August 10, 2015, according to a statement posted on the Aspire Home Care website, affecting its systems and potentially exposing sensitive information. The statement did not specifically describe the event, and just said it was “the target of a cybersecurity attack.”
The affected data includes patients’ names, dates of birth, addresses, telephone numbers, Social Security numbers, insurance information, prescription information, patient identification/medical record numbers and certain medical/clinical information.
Aspire Home Care added that financial information was not included in the exposed data.
“Aspire immediately disabled certain accounts, implemented password resets for identified targeted users and performed a security assessment,” the statement read. “In the aftermath of this incident, Aspire will continue to review its systems and improve the security of the information it maintains by implementing, for example, additional audit and surveillance technology to detect unauthorized intrusions.”
The OCR data breach report listed the event as a “hacking/IT incident” and that the information had been breached through email. OCR stated that 4,500 individuals had been affected.