- Nebraska-based Boys Town National Research Hospital reported to OCR July 20 a healthcare data breach that may have exposed PHI on 105,309 individuals.
In a statement, Boys Town said it discovered on May 23 unusual activity relating to an employee’s email account. Working with computer forensics experts, it determined that the account had been hacked into and that an unknown individual accessed the account, which contained PHI on hospital patients and employees.
On or around July 3, Boys Town confirmed that the information that may have been exposed included names, dates of birth, Social Security numbers, diagnoses or treatment information, Medicare or Medicaid identification numbers, medical record numbers, billing/claims information, health insurance information, disability codes, birth or marriage certificate information, employer identification numbers, driver’s license numbers, passport information, banking or financial account numbers, and usernames and passwords.
Boys Town is offering affected individuals free identity protection services for a year.
Blue Springs’ Ransomware Attack Exposes PHI on 45K Patients
Missouri-based Blue Springs Family Care informed OCR July 10 that hackers gained access to its electronic medical records and network server, putting PHI on 44,979 patients at risk.
In a letter to affected individuals, Blue Springs Family Care said that its computer vendor determined that the clinic’s systems had suffered a ransomware attack.
The information that might have been exposed included patients’ full names, home addresses, dates of birth, Social Security numbers, account numbers, driver’s license numbers, medical diagnoses, and disability codes.
“The investigation found indications that unauthorized persons had compromised the Blue Springs computer system and loaded a variety of malware programs, including the encryption program responsible for the ransomware attack. The investigation concluded the unauthorized persons would have had the ability to access all of the Blue Springs computer systems,” the clinic said in its letter.
Blue Springs Family Care did not say whether it was providing free credit monitoring services to affected individuals.
Golden Heart Says 44,600 Patients Affected by Ransomware Attack
Alaska-based medical billing company Golden Heart Administrative Professionals informed OCR July 9 that a network server hack exposed PHI on 44,600 individuals.
The hack involved ransomware being deployed on the company’s server containing client patient information, according to a report by the Fairbanks Daily News-Miner newspaper.
“All client patient information must assume to be compromised,” according to the company.
This is the second healthcare data breach to be reported in Alaska this month.
The Alaska Department of Health and Social Services reported that it had a security breach of a Division of Public Assistance computer in late April. That incident, according to the agency, may have resulted in the unauthorized disclosure of personal information of more than 500 people who interacted with the division's northern region office.
The computer accessed sites in Russia, had unauthorized software installed, and other suspicious computer behavior that provided strong indications of a computer infection, according to a news release from the state.
The computer had documents with information on pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, Social Security numbers, driver’s license numbers, first and last names, birthdates, phone numbers, and other confidential data, the news release said. Hackers may have used the infected computer to steal data, it added.
NE Dermatology Cops to Improper Paper Records Disposal for 16K Patients
New England Dermatology reported to OCR July 13 that the improper disposal of paper records may have exposed PHI on 16,154 patients.
New England Dermatology, dba, New England Dermatology and Laser Center (NEDLC), admitted that medical records of patients who visited their Northampton, Massachusetts, office over a five-year period were disposed of without being shredded, reported TV station WWLP July 19. The error was discovered on May 23, 2018.
The records contained patient names, addresses, and health information, but not Social Security numbers or financial information, according to NEDLC Executive Director Steve Ieraci.
NEDLC has instituted a new waste disposal protocol, including training employees and contractors.
NY Doctor Admits to Computer Breach Affecting 3,775 Patients
Ruben U. Carvajal, MD, a healthcare provider in New York, reported to OCR July 17 that hacking of a desktop computer containing electronic medical records may have exposed PHI of 3,775 individuals.
In a statement, Carvajal said that he was informed January 3 that patient information may have been accessible on the internet.
Carvajal then contacted the FBI and the New York Police Department. The FBI examined his computer and determined on February 13 that his electronic medical records had been subject to unauthorized access.
Upon further investigation, Carvajal determined on May 22 that the unauthorized access took place between December 16, 2017, and January 3, 2018.
Information that may have been exposed included patient names, addresses, dates of birth, medical history, diagnoses/conditions, lab/test results, treatment information, medications, health insurance information, and/or claims information. If patients received Medicare, their Medicare ID, which is also their Social Security number, may have been exposed.
Carvajal began notifying those affected on or about July 17 and is offering them free credit monitoring and identity protection services.
NorthStar Anesthesia Admits to Phishing Attack That Exposed PHI
Texas-based NorthStar Anesthesia announced July 20 that an email phishing campaign resulted in the compromise of certain employees' email credentials. The clinic did not disclose how many people were affected.
Through an investigation, NorthStar determined that an unauthorized actor gained access to certain employee email accounts between April 3 and May 24, 2018.
The information that may have been affected includes patient names, dates of birth, health insurance applications or claims information, health insurance policy or subscriber numbers, health information, IRS identity protection numbers, taxpayer identification numbers, medical history information, treatment and diagnoses information, and medical record numbers.
For certain individuals, this incident may have also affected Social Security numbers, the provider said.
NorthStar said it is offering affected individuals two years of free credit monitoring and identity restoration services.