- Planned Parenthood of the Heartland faces a possible healthcare data breach affecting 2,506 patients after paper records were exposed during the closure of a healthcare center in Iowa, according to a company press release.
Patients at the Dubuque location treated between August 2008 and April 2014 may have had some of their PHI accessed by an unauthorized entity following the closure and sale of the healthcare center. Information that may have been affected included names, dates of birth, mailing addresses, insurance information, Social Security numbers, medical record numbers, diagnoses, treatments, and lab results.
The healthcare system reported that it has secured the records and has implemented measures to ensure that patient privacy and confidentiality is being protected.
“PPHeartland’s [Planned Parenthood of the Heartland] standard policy is to conduct ongoing security audits—which already far surpass state and federal regulatory standards—to ensure we remain true to our commitment to patient privacy,” Chief Clinical Officer Penny Dickey said in a statement.
“We have conducted a rigorous review of our processes and revised our facilities relocation protocols. All staff responsible for facility relocation have been apprised of these modifications.”
All affected individuals have also been contracted about the healthcare data security incident.
“PPHeartland is dedicated to securing and maintaining our patients’ trust; this incident is in no way representative of PPHeartland’s stringent privacy standards,” added Dickey. “We will continue to strive toward the highest quality patient care, including stringent confidentiality standards, at all of our health centers.”
PA ambulatory surgery center hit by hospital ransomware attack
Approximately 13,000 individuals are being notified of a hospital ransomware attack in Pennsylvania that may have exposed patient information to cybercriminals, reported an article from Bucks County Courier Times.
The Ambulatory Surgery Center at St. Mary discovered on June 1 that an outside party had encrypted files on an internal network. Staff members reported that the hackers prevented employees from accessing files and demanded the medical center to pay a ransom.
A spokesperson from the Ambulatory Surgery Center stated that the organization did not pay the ransom because it had a full backup of the files that were encrypted. The medical center also notified all affected patients, even though there was no evidence that patient files were viewed by unauthorized users
, explained the article.
“In most cases, ransomware is not utilized for the purposes of accessing personal identification information,” stated the notification letter. “However, since the ransomware did access our network, we need to notify you just in case other information was accessed.”
The medical center has launched an investigation into the healthcare cyberattack, including an internal audit to ensure that its networks are secure.
TX clinic notified 717 patients of possible PHI breach
The Midland Women’s Clinic in Texas has experienced a possible PHI breach in April when a former physician left patient information at his private residence, according to a statement on the clinic website.
Mario M. Gross, MD, who was last employed by the clinic in 2006, may have made some patient information accessible to unauthorized parties for a limited period of time at his residence.
The records included names and addresses as well as some healthcare data, such as dates of birth, account numbers, diagnoses, medications, procedures, and physician notes. In some cases, patients may have also had their Social Security and Medicare and/or Medicaid numbers disclosed by the incident, reported Midland Women’s Clinic.
The Office of Civil Rights data breach tool reported that 717 patients were affected by the unauthorized disclosure.
After discovering the healthcare data security event, the patient records were secured and the clinic launched an internal investigation to identify affected individuals. Midlands Women’s Clinic also implemented additional data security measures to prevent future incidents.
“The Clinic has reviewed and modified its policies and procedures to prevent future incidents, educated its medical staff about the incident and tasked them with reviewing and updating their own controls over patient records, and reminded its workforce about the rules and procedures for protecting patient records,” stated the press release.
An emailing error leads to data security incident in CA
The California Health Care Facility, a department of the California Department of Corrections and Rehabilitation, has notified an unspecified number of patients of a data security incident.
The healthcare organization reported in a notification letter on its website that an employee had mistakenly emailed a document containing patient names and Social Security numbers to the wrong recipient. The incident occurred on May 2.
After discovering the possible breach, the California Health Care Facility deleted the email in question from the email system.
“We regret that this incident occurred and want to assure you that we reviewed and revised our procedures and practices to minimize the risk of recurrence,” wrote Jennifer Barretto, a warden at the facility.
All affected individuals have been encouraged to place a fraud alert on their credit files.
AK healthcare organization reports another potential Bizmatics EHR breach
Another healthcare organization has announced a possible EHR breach stemming from a hacking incident at Bizmatics, a health IT vendor.
Arkansas Spine and Pain has reported that some of its patient files that were managed by Bizmatics may have been viewed by an unauthorized user. Bizmatics alerted the healthcare organization on May 12 that some of its EHR data was located on one of its servers that had been hacked.
Arkansas Spine and Pain explained that the intruders may have installed malware on the vendor’s system, infiltrating its servers. Bizmatics first discovered the hacking incident in late 2015, according to the statement.
Affected patients may have had some of their medical record information exposed, including names, addresses, dates of birth, insurance information, Social Security numbers, and clinical documentation.
While Bizmatics could not confirm if any of the healthcare organization’s EHR files were accessed by the intruders, Arkansas Spine and Pain has notified all potentially affected individuals.
The healthcare organization also added that Bizmatics was “taking steps to further strengthen its defenses against cyberattacks, including hardening its firewall and network configurations.”
“We have also been assured by Bizmatics that they are committed to ensuring its systems are as secure as they can be in our current environment,” the statement explained.
Bizmatics has recently notified several other healthcare providers of potential EHR breaches after hackers accessed its servers containing medical records.
In May, Florida-based Southeast Eye Institute, PA contacted over 87,000 patients of a possible healthcare data breach after Bizmatics, its former practice management vendor, experienced unauthorized access to its servers.
Similarly, Integrated Health Solutions in Pennsylvania announced last month that it experienced a potential EHR breach affecting over 19,000 individuals after an outside party had hacked into servers at Bizmatics that contained patient records.