- Toyota Industries North America announced Sept. 28 that a data breach involving 19,000 current and former employees and health plan participants may have put PHI data security at risk.
Toyota said it discovered on Aug. 30 that an unauthorized third party could have accessed the corporate email system. It engaged information security experts to investigate the incident and secure the system.
In response to the investigation, the company is adopting multifactor authentication, implementing security monitoring enhancements, and revising and redistributing mandatory password protection and reset policies.
Information that may have been compromised included full name, home address, date of birth, phone number, financial account information, social security number, photograph of social security card, driver’s license number, photograph of driver’s license, email address, photograph of birth certificate, photograph of passport, treatment information, prescription information, diagnoses, health plan beneficiary number, and portal username, password, and security questions.
Toyota said it is providing one year of free credit monitoring and identity theft protection services to those affected by the breach.
UTHealth Admits 1,800 Medical Records Were Discarded on Street
University of Texas Health Science Center at Houston (UTHealth) said Sept. 14 that paper medical records of 1,800 patients from five Houston area facilities were stolen from a former resident’s car and later discarded on a city street.
The patient records included call sheets, rounding notes, medical record number stickers, and/or surgical schedules. Patients’ names, dates of birth, diagnoses, treatment, medication lists, vital signs, and/or admission dates were contained in the records.
The five facilities involved were UTHealth, MD Anderson Cancer Center, Memorial Hermann Health System, and Harris Health System.
An employee of KHOU-TV Channel 11 found the records on the street. The records were first copied by the TV station and then returned to UTHealth.
“Since learning that KHOU made and retained copies of the information, UTHealth has asked repeatedly that the copies be returned or destroyed,” UTHealth said in its release.
MD Anderson was in the news earlier this year when an HHS Administrative Law Judge ruled that the facility had to pay $4.3 million in penalties for HIPAA violations dating from 2012 and 2013. Interestingly, one of the breaches involved the theft from a physician’s home of a laptop containing unencrypted patient data.
Also, in May UT Physicians, the physicians group of the UTHealth, sent out mass emails the included email addresses of 2,800 patients as an attachment, according to a report by Chron.com.
Gwinnett Medical Center Says Patient Data Posted on Twitter
Georgia-based Gwinnett Medical Center (GWC) experienced an IT incident that may have involved a patient data breach, the Atlanta Journal-Constitution reported Oct. 3.
The names, dates of birth, and genders of around 40 patients were accessed by an unauthorized third party and exposed on Twitter, Beth Hardy, a spokeswoman for Gwinnett, told the newspaper.
Hardy stressed that social security numbers and medical information were apparently not compromised.
“We are taking the personal security of information very seriously,” Hardy said. “We are committed to maintaining the confidentiality of our patients.”
GMC is cooperating with the FBI and other law enforcement agencies about the possible breach. The health system has hospitals in Lawrenceville and Duluth, urgent care centers in Buford and Sugar Hill, and medical group practices across Gwinnett county.
Oklahoma DHS Admits to Sending Letters to Wrong Addresses
The Oklahoma Department of Human Services (DHS) admitted that a computer error resulted in the wrong addresses being put on letters going out to patients and guardians involved in a program for developmental disabilities services (DDS), newsok.com reported Oct. 2.
The letters, which contained changes to the patients’ plan of care, were sent out between May 17 and July 25. Around 813 clients were affected by the mistake.
“As a result of this computer error, DDS clients may have received information not belonging to them, their information may have been mistakenly sent to another person, or both possibilities may have occurred,” the agency said in a statement.
According to the report, the DHS letters would have included client name, address, case number, Medicaid client ID number, plan of care number, name of provider, and description of the type of service authorized.