- The Medical College of Wisconsin (MCW) announced that it suffered a healthcare phishing attack and that certain PHI may have been affected as it was in the accessed employee email accounts.
An investigation and manual document review showed that an unauthorized third party accessed “a limited number” of MCW employee email accounts, and that they were compromised between July 21, 2017 and July 28, 2017. It could not be definitively concluded though whether patient PHI was actually accessed, viewed, downloaded or otherwise acquired.
The accounts were immediately disabled once the issue was discovered, MCW said. Passwords were also changed and the organization added that it “maintained heightened monitoring of the accounts and commenced an investigation.”
MCW said the email accounts contained either one or more of the following: patients’ names, home addresses, dates of birth, medical record numbers, health insurance information, date(s) of service, surgical information, diagnosis/condition, and/or treatment information. “A very small number of patients” may also have had their Social Security numbers and bank account information contained in the emails.
“MCW is committed to maintaining the privacy of patient information and continually evaluating and modifying its practices and procedures to enhance appropriate security and privacy measures to prevent recurrence of this incident, including conducting ongoing cyber awareness training for its workforce and regularly updating its system security and firewalls,” MCW said in its online statement.
There were 9,500 individuals who were potentially affected by the incident, according to the OCR data breach reporting tool.
Stolen laptop leads to data security incident in CO
Colorado-based Rocky Mountain Health Care Services (RMHCS) discovered on September 28, 2017 that an RMHCS employee’s laptop was stolen, according to an online statement. The device may have contained certain patient information.
RMHCS said that it commenced an investigation and reported the theft to law enforcement.
The laptop may have contained some participants’ first and last name, address, date of birth, SSN, Medicare identification number, health insurance information, and limited medical treatment information. Financial account information was not included.
The OCR data breach reporting tool states that 909 individuals may have been impacted.
“We take the security of all information in our systems very seriously, and want to assure you that we are taking steps to prevent a similar event from occurring in the future,” RMHCS said. “Those steps include reviewing and updating our policies and procedures related to information security, incorporating mobile device management, and exploring device encryption.”
This is not the first time RMHCS has reported a stolen laptop. The organization said it discovered on June 18, 2017, that a former employee’s cell phone and laptop were stolen.
It was concluded that the devices may have contained some patient PHI, including names, addresses, dates of birth, health insurance information, and limited medical treatment information. Social Security numbers, Medicare identification numbers or financial account information were not involved.
RMHCS did not state how many individuals were involved in the June 2017 data security incident.
Unauthorized access creates patient data privacy concerns in MA
Lowell General Hospital recently announced on its website that an employee accessed certain patient data records without authorization and without any medical reason. The individual no longer works for the Massachusetts-based organization.
“Lowell General Hospital believes that a single employee accessed and reviewed patient records inappropriately in direct violation of hospital policy and trainings,” the statement explained. “We are in the process of reviewing the privacy and security of our electronic medical records system and making improvements to safeguards and monitoring activities. We will continuously provide education to all employees regarding the importance of patient privacy.”
The accessed information may have included names, dates of birth, diagnoses, and other information about patient medical treatment. Social Security numbers, insurance policy numbers, or any other financial information were not accessed, the hospital said.
OCR reports that 769 individuals may have had their information involved.
There is no indication that the data has been misused, and potentially affected individuals will be receiving a letter in the mail about the incident.
“We sincerely apologize and regret that this situation has occurred. Lowell General Hospital is committed to providing quality care, including protecting our patients’ personal information, and we want to assure you that we have policies and procedures in place to protect your privacy,” the hospital stated.