- On February 25, 2017, Lifespan Corporation suffered a possible healthcare data breach in which an employee’s laptop was stolen.
The theft occurred when an individual broke into an employee’s car and stole several items, including a laptop containing Lifespan Corporation patient information. Upon learning of the theft, the employee immediately contacted law enforcement and reported the incident to Lifespan.
The Rhode Island health organization launched an investigation and changed the employee’s credentials for accessing Lifespan system information to reduce the likelihood of unauthorized access.
Lifespan determined through the investigation that the MacBook was unencrypted and not password protected.
The information of 20,431 patients may have been accessed in the incident, according to the OCR data breach reporting tool.
Information stored on the stolen MacBook included emails containing patient names, medical record numbers, and demographic information.
Lifespan began notifying potentially impacted individuals on April 21 and has established a call center to answer any questions concerned patients may have regarding the incident.
Lifespan stated there is no evidence suggesting any patient information has been accessed or misused. Additionally, no patient medical records or Social Security numbers were stored on the laptop.
To prevent a similar incident in the future, the healthcare organization is retraining employees on security measures and improving security policies and procedures relating to laptop storage.
Unauthorized email access affects 8K
On February 21, 2017, Hill County Memorial Hospital in Fredericksburg, Texas suffered a data breach in which an unauthorized individual accessed an employee email account containing patient and job applicant information.
The email account contained the names, dates of birth, Social Security numbers, addresses, patient identification numbers, prescription information, diagnosis information, and procedure information. The OCR data breach reporting tool states that 8,449 individuals may have been impacted.
Investigators stated the individual likely accessed the email account to submit fraudulent invoices to Hill County’s account payable department.
Presently, Hill County has no information regarding which emails the individual may have viewed or whether any personal information has been misused.
“We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected,” said Chief Executive Officer Jayne Pope.
In an effort to mitigate further damage, Hill County has notified all potentially impacted individuals of the incident and offered concerned patients one year of free credit protection services.
Phishing email attack at Iowa hospital exposes patient information
In February 2017, Google and the state of Iowa suffered multiple phishing email attacks.
The Office of the Chief Information Officer (OCIO) and the Iowa Veterans Home immediately responded to the incident and instated additional security measures to avoid further problems.
The names, email addresses, phone numbers, medical information, and Social Security numbers of 2,969 patients may have been accessed in the incident.
Presently, Iowa Veterans Home stated they are unable to determine whether any records have been accessed or viewed.
Atlantic Digestive Specialists suffers ransomware attack impacts 2K
On February 20, 2017, Atlantic Digestive Specialists (ADS) discovered some of its systems had been infected with ransomware.
An investigation into the incident determined the ransomware likely infected the systems about two days prior.
ADS personnel promptly notified the FBI and removed the ransomware from the infected systems on February 22, 2017.
With the help of third-party forensic investigators, ADS is working to learn what exactly. At this time, those details remain unclear.
The names, dates of birth, address information, telephone numbers, medical record numbers, health insurance numbers, and Social Security numbers may have been accessed. The OCR data breach reporting tool states that 2,081 patients may have been affected.
The healthcare organization stated there is no evidence suggesting any information has been accessed or misused in any way.
ADS began informing all potentially impacted patients of the incident on April 21, 2017.
The healthcare organization also established a call center offering assistance to concerned individuals as well as access to credit monitoring services.
Pentucket Medical storage boxes containing patient information stolen
On January 18, 2017, four Pentucket Medical storage boxes containing physician employment files and patient information were stolen from the CubeSmart Storage Facility where they were held in Haverhill, Massachusetts.
A surveillance video showed a CubeSmart storage client moving the boxes to an outside loading dock.
CubeSmart management and Haverhill police promptly contacted the client requesting the immediate return of the missing boxes.
On February 21, 2017, the individual returned all four boxes intact, at which point the police department safely returned the boxes to Pentucket Medical.
The boxes included the names, insurance numbers, and Social Security numbers of four New Hampshire residents, all of whom have been notified by mail.
At this time, Pentucket Medical stated they cannot be certain whether any information has been viewed or misused.
To prevent further security issues, Pentucket Medical is offering free credit monitoring and identity theft protection services to all affected individuals.
Additionally, the healthcare organization is reviewing security measures with individuals involved in the incident to ensure better oversight of the transportation of items in the CubeSmart facility in the future.
Ohio hospital discovers incident of unauthorized patient information access
On March 17, 2017, Harrisburg Gastroenterology and the Harrisburg Endoscopy and Surgery Center determined an unauthorized individual might have viewed patient information.
Potentially accessed information includes patient names, demographic information, Social Security numbers, and health insurance information.
Harrisburg has not disclosed the number of patients impacted by the breach.
The healthcare organization stated there is no evidence suggesting any patient information has been accessed or misused in any way.
However, the organization notified all potentially affected patients of the incident and is offering a year of free credit monitoring to any concerned individuals.