Possible PHI Security Breach in FL Respiratory Facility

August 18, 2016 - Florida-based Rotech Healthcare Inc. reported that it may have experienced a PHI security breach after patient information was recovered by police from an unauthorized individual.

The respiratory and sleep apnea facility said it received a police report on June 13, 2016 that some patient paper records had been recovered. The information included names, Social Security numbers, patient numbers, addresses, the name of the Rotech subsidiary company from which individuals received health care services, and possibly phone numbers and/or dates of birth.

The incident was discovered on June 13, but Rotech said it did not receive copies of the stolen information until July 11 when US Secret Service provided it to them. A review found that the information had been taken from Rotech systems.

“Rotech takes your privacy and the security of your personal and protected health information very seriously, and we are cooperating with law enforcement’s investigation into this incident,” Rotech Vice President of Compliance and Ethics R. Wayne Bradberry, CHC said in a statement. “Rotech and our third party forensic investigators continue to investigate this incident to identify any additional patients who may be impacted by this incident.”

The OCR data breach reporting tool states that 957 individuals were potentially affected. Rotech stated that those individuals will be receiving notifications as they are identified.

READ MORE: How Identity Management IGA Secures Protected Health Information

Furthermore, Rotech said it is reviewing its current policies and procedures to ensure that this type of incident does not happen again.

“We sincerely regret any inconvenience this incident may cause,” Bradberry wrote. “Rotech remains committed to safeguarding information in our care and will continue to take proactive steps to enhance the security of the information in our care.”

Neurosurgical center reports cybersecurity attack affecting 1,100

The Center for Neurosurgical and Spinal Disorders (CNSD) announced that approximately 1,100 patients may have had their information exposed in a data security incident earlier this summer.

A hacker reportedly gained access to and installed a program on a CNSD office manager’s computer. The program recorded keystrokes and periodically took screenshots of what was being displayed on the computer, according to a CNSD statement posted on KPLC.

READ MORE: OCR Settles Improper PHI Disposal Case, Resolves Potential HIPAA Violation

“A subsequent investigation revealed that screen shots of 823 CNSD's patients (along with 311 patients of another practice for whom CNSD bills) were taken between the dates of 7/7/16-7/18/16,” CNSD reported. “It is unclear whether any of this information was downloaded.”

Prior to that, a CNSD IT professional performed an initial investigation and determined that the hacker had gained remote access.

Some patients only had their name displayed, while other instances included names, addresses, phone numbers, Social Security numbers, medical chart information, and billing information were revealed in the screen shots.

The FBI has been notified and affected patients will be receiving notification letters.  

“After the FBI took the hacked hard drive, CNSD's IT professional put in a new hard drive with a new operating system into the computer at issue, and CNSD hired a separate IT security company to perform a complete examination of all software, servers, computers, routers, firewalls, and office security,” the statement read. “No additional suspicious programs, viruses, spyware, or malware were detected. The security firm has been retained to provide ongoing network security analysis and advanced threat protection.”

READ MORE: How Did This Happen? Understanding the Issue of Third-Party Tracking Tech in Healthcare

Stolen briefcase contained patient information

A California-based dentist reported that certain patient information may be at risk after an external hard drive was stolen from his car on July 25, 2016.

John E. Gonzalez, DDS said in a statement that his car window was broken and a briefcase containing the hard drive was taken. Gonzalez maintained that there was a low risk to data being exposed because it was “un-readable,” but he added that the data was unencrypted.

Patient records were backed up on the drive, and this includes Social Security numbers, driver’s license numbers, phone numbers, dates of birth, physical and email addresses, and health insurance information. However, passwords, user names, complete credit card information, and bank information were not stored on the drive. The last four digits of the most recent used credit card were stored.

“Pictures of patient cases (teeth only, no faces) that included patient first and last names and phone numbers were saved on the drive,” Gonzalez said. “These files of pictures are stored in jpeg format and can be opened easily.”

The OCR data breach reporting tool states that 1,057 individuals were affected by this incident.

“After numerous consultations with the dental software company, I am convinced the risk of any unauthorized person being able to access the medical records information (which is listed above) is incredibly low as the software is HIPAA compliant,” wrote Gonzalez. “We have placed other safeguards with that company which require PIN and caller ID verification to prevent any access to this data by an unauthorized party. All data of patient records is in unreadable format; it cannot be opened without extreme effort, costly purchases, and expert guidance.”

Gonzalez also encouraged patients to regularly review their explanation of benefits sent from their health insurer for any unauthorized procedures and to check their credit reports for bills they do not recognize. Placing a fraud alert on credit files could also be beneficial, he said.