- UMC Physicians (UMCP), a physician practice managment group set up by Texas-based UMC Health System, announced July 11 that it had notified more than 18,000 patients about a healthcare data breach in which their PHI may have been compromised by the hack of an employee’s email account.
The email hack occurred on March 15 and was discovered on May 18, the company said.
Patients’ PHI that could be affected included names, addresses, phone numbers, medical record numbers, diagnoses, Social Security numbers, dates of birth, dates of service, and health insurance information.
UMCP said it has no evidence of actual or attempted misuse of personal information at this time.
Despite this finding, UMCP said it is offering free credit monitoring and identity restoration services for one year.
Alive Hospice’s Phishing Attacks Expose Treasure Trove of PHI
Tennessee-based Alive Hospice said July 13 that unauthorized persons gained access to two employee email accounts through phishing attacks that exposed a treasure trove of patient PHI.
The information that was exposed included patient name, date of birth, Social Security number, passport number, driver's license or state identification number, copy of birth or marriage certificate, financial account number, medical history information, treatment and prescription information, health insurance information, username/email and password information, biometric identifiers, IRS pin number, digital signatures, and security questions and answers.
An investigation by third-party forensics investigators determined the unauthorized activity began on or around December 20, 2017, for one employee, and on or around April 5, 2018 for the other employee.
Alive said it was offering affected individuals free credit monitoring and identity restoration services for one year, but it did not say how many patients were affected. The breach had not been posted to the OCR’s Breach Portal as of July 19.
Billings Clinic Has Email Breach Exposing PHI on 8,400 Patients
Montana-based Billings Clinic experienced a PHI breach that may have affected 8,400 patients, the Billings Gazette reported July 13.
An employee’s email account was hacked while the employee was traveling overseas. Information that may have been compromised included patients' names, dates of birth, contact information, medical record numbers, internal financial control number, diagnosis, and limited medical services descriptions.
In a release, the clinic stressed that the breach did not include patients’ Social Security numbers, credit card numbers, banking information, insurance information, or EHR information.
In April, Billings Clinic announced another email breach in which personal information was exposed on 949 patients who used the Atrium Pharmacy on the hospital’s main campus.
Nashville Government Server Exposes PHI on Patients with HIV or AIDS
A database of patients with HIV or AIDS was kept on a shared government server at the Nashville Metro Public Health Department for nine months, USA Today’s Tennessean.com reported July 11.
The database included information on the patients’ addresses, Social Security numbers, sexuality, and drug use history.
Metro Health officials said that they do not believe the database was improperly accessed during the nine months it was on the shared server, but they can’t know for sure because a server auditing feature had been left inactive.
“With no auditing, an employee potentially could have copied the data onto a thumb drive and taken it home, leaving no trace,” according to Tennessean.com.
The report did not say how many individuals were affected by the breach.
Rocky Mountain Health Care Says Laptop Theft Exposed PHI on 1,087 People
Colorado-based Rocky Mountain Health Care Services (RMHCS) reported to OCR on July 13 that the theft of a laptop exposed PHI on 1,087 individuals.
In a statement, RMHCS said that on May 15 it discovered that an employee laptop containing PHI was stolen. The information on the laptop included patient’s name, address, date of birth, Social Security number, and medical treatment information, including diagnosis, prescription information, and treatment plan.
RMHCS sent letters July 13 informing potential victims about the breach. The healthcare provider is offering free credit monitoring and identity theft restoration services to those affected by the breach.
PHI of 4,824 People At Risk in Terteling Email Hack
Idaho-based Terteling Company health plan reported to OCR on July 6 that PHI of 4,824 individuals may have been exposed in an email hacking incident.
The information included names, Social Security numbers, home addresses, birth dates, earnings amounts, health plan ID numbers, driver’s license numbers, and business-issued credit cards, Terteling said in a June 26 release.
Email communications about health plan participation, coverage, claims, including information concerning diagnoses, medications, procedures, treatment dates, and payments sought and paid, were also potentially exposed in this incident, the release said.
The breach affected the Terteling Company, Western States Equipment Company, Agri-Service, the 36th Street Garden Center and Bistro, and Red Horse Mountain Ranch, which was previously affiliated with the Terteling Company.
The company learned of the phishing email on May 1. After several days of investigation, it determined that the phishing email might have been sent due to a business network intrusion by an external actor. On May 10, it contained the external actor by restricting network access and requiring all users to reset their passwords.
Terteling is providing affected individuals with free credit monitoring and identity theft service for one year.
Sunspire Health Admits to Email Hack That Exposed PHI of Patients
New Jersey-based Sunspire Health said on July 16 that a breach of employee email accounts may have exposed patient PHI.
Between April 10 and May 17, 2018, Sunspire learned that its employees became the target of a phishing email campaign that compromised several email accounts.
Patient information that may have been compromised included client names, dates of birth, Social Security numbers, treatment and diagnosis information, and health insurance information.
Sunspire is providing credit and identity monitoring services to affected individuals at no charge.
UPMC Cole Says Phishing Attacks Exposed PHI of 790 Patients
Pennsylvania-based UPMC Cole said July 16 that it notified 790 patients that their PHI may have been inappropriately accessed because of two phishing attacks against employees.
UPMC Cole said that an internal investigation determined that there were two phishing attacks on June 7 and June 14 against employee email accounts.
The information that may have been accessed included patients’ names, dates of birth, scheduling information, types of procedures, names of providers, and treatment.
UPMC Cole stressed that no medical records or Social Security numbers of patients were accessed.