Latest Health Data Breaches News

PHI Potentially Accessed in Ballad Health Email Data Breach

Ballad Health, WellStar Health, and Resources for Human Development all reported healthcare data breaches recently.

PHI Potentially Accessed in Ballad Health Email Data Breach

Source: Getty Images

By Jill McKeon

- Ballad Health, a 21-hospital health system headquartered in Tennessee, disclosed a healthcare data breach that potentially led to protected health information (PHI) exposure.

On January 13, Ballad Health discovered unusual activity on an employee’s email account. Further investigation revealed that an unauthorized actor had accessed the account and may have viewed email messages and attachments.

The email contained names, birth dates, medical conditions, medical history, treatment information, diagnosis codes, patient account numbers, and medical record numbers.  

“Ballad Health takes this incident and the security of personal information in its care seriously. Upon learning of the suspicious activity through Ballad Health’s surveillance activity, Ballad Health’s team immediately took steps to investigate the scope of the event,” the health system said.

“Security measures have been taken to secure the employee’s email account, including issuing a new password, and Ballad Health continues to educate the workforce on the importance of security measures each person must take to protect access to the Ballad Health email system.”

It is unclear how many individuals were impacted by the incident. Ballad Health encouraged patients to remain vigilant against identity theft and fraud.

Wellstar Health Faces Email Security Incident

Wellstar Health System in Georgia began notifying individuals of a data security incident that occurred when an unauthorized party gained access to two Wellstar email accounts.

Wellstar discovered the activity on February 7, 2022, but later determined that the unauthorized actor had accessed one or more of the accounts between December 6, 2021, and January 3, 2022. Upon discovery, Wellstar said it disabled account access and required mandatory password resets.

The email accounts contained names, medical record numbers, laboratory information, and Wellstar account numbers. Although no Social Security numbers were impacted, Wellstar encouraged impacted patients to remain vigilant.

It is unclear how many individuals were impacted by the incident.

“Since the date of this incident, Wellstar has taken measures to improve its technical safeguards in order to minimize the risk of a similar incident in the future, including implementing additional technical safeguards on its email system and providing additional training to employees to increase awareness of the risks of malicious emails,” the notice stated.

Stolen Hard Drive Leads to Breach Impacting 46K at PA Nonprofit

Pennsylvania-based Resources for Human Development (RHD) posted a notice on its website regarding a January 2022 security incident. RHD, a human services nonprofit that provides care to people with mental illnesses and developmental disabilities, discovered that a hard drive containing patient and staff information had been stolen.

According to the Office for Civil Rights (OCR) data breach portal, the incident impacted 46,673 individuals.

The hard drive was related to RHD’s Point-to-Point program located in Exton, Pennsylvania. The hard drive contained Social Security numbers, financial account information, payment card information, driver’s license numbers, prescription information, birth dates, treatment information, health insurance information, Medicare and Medicaid ID numbers, electronic signatures, usernames and passwords, and employer identification numbers.

RHD said it had not discovered any evidence of data misuse, but its investigation is ongoing.

“Information privacy and security are among RHD’s highest priorities. Upon learning of this incident, we moved quickly to respond,” RHD said.

“This included conducting an internal investigation with the assistance of third-party forensic specialists and engaging in steps to ensure the security of our offices and computer servers. We are also training our employees on best practices for protecting confidential information.”