- Colorado-based Critical Care, Pulmonary & Sleep Associates recently notified 23,000 patients that their personal data was potentially breached during a phishing attack.
On November 23, CCPSA officials discovered a hacker gained access to an employee email account and began sending phishing emails to the employee’s contact list to gain financial payments. Upon discovery, the account was secured and access was blocked, while officials ensured the integrity of the entire email system.
The investigation that followed determined the hacker had access to several different accounts between Aug. 14, 2018 and Nov. 23, 2018, or about three months. Officials couldn’t determine just what the hacker viewed or copied from the accounts, and “regrettably it's possible that personal information was viewed or acquired by the hacker based on the nature of the unauthorized access.”
Only the email system of CCPSA was impacted. The compromised data included a wide range of data that varied by patient, but could include names, clinical data like dates of service, diagnoses, and medical conditions, labs and diagnostic studies, medications, treatment details, addresses, dates of birth, and other treatment information.
For some patients, certain insurance information like member and group numbers, Social Security numbers, driver’s licenses, and costs of services were breached. Credit and debit card details were not compromised.
Since the email hack, CCPSA has changed changed password requirements and how the network can be accessed. Officials consulted with an IT firm to assess the computer environment and and bolstered flaws. Further, they’re reinforcing and mandating security awareness training to all staff.
Officials notified law enforcement and regulatory bodies for further investigation.
Integrity House Device Theft Impacts PHI
New Jersey-based Integrity House, an addictions recovery provider, was recently burgled and a number of computers and tablets containing protected health information were stolen by the thieves on November 25.
The IT team investigated the event to determine the contents of the stolen devices. They found that some personal information including names, dates of birth, Social Security numbers, health insurance data, and some treatment information were stored on the devices.
No financial or payment information was involved.
Officials reported the burglary to law enforcement, and Integrity House is cooperating with their investigation. According to the Department of Health and Human Services’ Office for Civil Rights breach reporting tool, 7,206 patients were impacted.
Belleville General Nurse Fired for Accessing Patient Data
A nurse from Ontario-based Belleville General Hospital was recently fired for accessing hundreds of patient records without permission, according to local news outlet Quinte News.
According to the report, the nurse accessed names, addresses, dates of birth, health card details, and other health data. Officials did not provide a timeframe for the nurse’s inappropriate access. However, the event was first reported to leadership in September 2018.
Officials contacted law enforcement and the Ontario Privacy Commissioner who are investigating the incident to determine whether the data was shared.