- Medical records containing PHI data of patients from Turquoise Lodge Hospital were found blowing around the streets of Albuquerque, New Mexico, TV station KRQE reported Sept. 1.
The medical records were being transported to a secure facility and fell off the truck, the report noted.
The New Mexico Department of Health, which runs the rehabilitation hospital that specializes in treating addicted pregnant women and parents, issued a statement that read in part:
“Turquoise Lodge was in the process of transporting patient records yesterday from the hospital to a secure facility. As soon as we were made aware of the misplaced records, we sent a team out to recover as many documents as possible. We have immediately launched an investigation and will follow all requirements under patient privacy laws to further protect the privacy of all patients and their health information.”
A patient at the hospital named Renee who was interviewed by the TV station said: “It’s personal information. I had to sign a HIPAA form to protect my privacy.”
A woman who stopped to help pick up the records said: “That’s a HIPAA violation right there.”
The department said it would contact patients who had their records compromised by the incident.
Louisiana’s ACS Admits to Email Breach Exposing PHI on 31K People
Acadiana Computer Systems (ACS), a Louisiana-based medical business services provider, reported to OCR on Aug. 17 that an email hack exposed PHI on 31,151 individuals.
In a press release, ACS said it discovered on July 6 that an employee’s email account had been accessed by an unauthorized individual, who might have compromised PHI of its clients.
When it discovered the breach, ACS disabled access to the email account, began an investigation, and engaged a third-party cybersecurity expert to assist in the probe.
ACS clients that may have been impacted include Radiology and Interventional Associates of Metairie, LSU Healthcare Network, LSU Health Sciences Center Shreveport, Poly Ryon (Oakbend) Medical Group, Oceans Acquisition, South Louisiana Medical Associates, Southern Surgical, Truman Medical Centers, University Hospital and Clinics, University of South Alabama, and Willis-Knighton Medical Center.
PHI that might have been exposed included patient names, addresses, and treatment billing information; a small number of patients’ Social Security numbers were also potentially impacted.
ACS said it is offering free identity monitoring services to those affected by the breach.
Provider’s Email Newsletter Comes with More than Weight Loss Tips
Oregon-based Family Medical Group reported to OCR on Aug. 22 that 2,077 individuals were affected by a data breach involving a desktop computer.
In a notice on its website, Family Medical Group said that on July 27 it discovered that an employee sent an email newsletter to 200 current patients and accidentally attached a data file containing personal information on 2,077 patients.
Information that was in the data file included patient names, dates of birth, email addresses, and medical record numbers. The data file did not contain any Social Security numbers or financial information.
“We contacted a risk management firm to help assess the disclosure and risk of identity theft to our patients. The risk was determined to be low, since the information released in the email was information that could already be found on the internet,” the provider explained.
On Aug. 1, staff and physicians received additional HIPAA training, and additional safeguards were implemented to protect patient information.
BHCHP Says a Break-In May Have Led to a PHI Data Breach
Boston Healthcare for the Homeless Program (BHCHP) said that a physical security lapse in mid-March 2018 led to a possible PHI data breach for patients at its St. Francis House clinic.
Someone broke into the clinic on the night of March 13, although BHCHP said that there was evidence that the intruder viewed or stole PHI.
PHI that might have been exposed to the intruder included handwritten staff notes, printed patient lists, referral forms, and insurance/benefits applications. BHCHP did not say how many people were possibly affected by the breach.
BHCHP said it conducted an internal investigation that included a search of all parts of the clinic to which the intruder would have had access and interviews with clinic and shelter staff.
The program also ensured that the clinic door was secure and implemented additional safety measures, including an additional lock on internal doors within the clinic and secure storage of keys to internal doors, file cabinets, and storage cabinets.
BHCHP also updated its policies governing how staff use and store patient information.