Healthcare Information Security

Latest Health Data Breaches News

PHI Data Breaches, Fraud in Georgia and New York

By Sara Heath

- PHI data breach security is a primary concern for all healthcare professionals. However, in recent weeks, it has been challenged at both the Georgia Divisions of Aging Services and at Healthfirst, a health insurance agency based in New York. Between data exchange via email and the threat of fraud, both cases show that PHI security is always open for improvements.

PHI data breach at Georgia Division of Aging Services and Healthfirst

Georgia Divisions of Aging Services discloses PHI via email

The Georgia Divisions of Aging Services notified approximately 3,000 clients of a PHI data breach, according to a statement made by the Georgia Department of Human Services (DHS). The breach, which affected individuals in the Community Care Services Program (CCS), is reportedly small in breadth and has been completely resolved.

The cause of the breach was an accidental email sent to one of the program’s contracted providers, and it disclosed information regarding patient diagnoses. No other information, including contact information, Social Security numbers, or Medicaid numbers were disclosed. All individuals affected have been notified in accordance with federal mandates.

Despite the small scale of the incident, the Department of Aging Services is still taking measures to improve its security systems. According to the statement, the Department has added new safeguards to their data systems, and also implemented new training practices for members of the department.

Officials from the Department expressed regret for the incident, and emphasized that patient safety and security are of the utmost concern.

“While we are confident that this data breach was limited in nature and resolved almost immediately, we are obligated to ensure that our clients and the public can trust the integrity of our programs,” said Georgia’s Human Services Commissioner Robyn A. Crittenden. “We take client privacy very seriously, and it is important that the public is fully aware of this situation and aware of our efforts to prevent such an event in the future.”

Healthfirst notifies 5,300 clients of data breach

After a cyberattack on Healthfirst’s online portal, the health insurance company is notifying approximately 5,300 individuals that their PHI may have been compromised, according to a company statement. However, no Social Security information was disclosed in the data breach.

Healthfirst was first informed that it was a victim of fraud by the US Department of Justice (DOJ) on May 27, 2015, and from there prosecuted the perpetrator and continued a joint investigation with the DOJ. The two organizations discovered that the culprit, who committed the fraud in 2013, had also gained access to Healthfirst records, and that a PHI data breach had occurred. On July 10, 2015, both Healthfirst and DOJ agreed that there had been an official breach of data between April 11, 2012 and March 26, 2014.

The company has stated that perpetrator gained access to patient names, dates of birth, addresses, health insurance plan information, description of missing services, physician numbers, Healthfirst member ID numbers, patient ID numbers, Medicare and Medicaid ID numbers, claim numbers, and diagnosis codes.

Healthfirst began notifying affected individuals on July 25, and also notified the proper government channels such as the US Department of Health and Human Services (HHS). Notice of the breach can also be found on Healthfirst’s website.

The insurance plan is also making strides to protect the patients whose PHI had been compromised. It has promised one full year of identity and credit monitoring, as well as anonymous access to identity theft specialists. Healthfirst is also taking preventative measures to keep this from happening in the future, including revising its security policies and its online portal securities.

The company expressed its disappointment that the incident occurred, reinforcing its commitment to patient security.

“Healthfirst sincerely regrets that this incident occurred,” the company said in its statement. “Healthfirst takes the privacy and security of its members’ health information very seriously. Healthfirst values the trust its members have placed in it as their health plan and it is Healthfirst’s priority to reassure its members that it is taking steps to ensure its members’ information is protected.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks