- An internal security scan revealed that there was a data server configuration error, allowing potential PHI exposure at BJC HealthCare.
The Missouri-based organization revealed in an online statement that 33,420 patients may have had their information made publicly accessible through the internet.
Identifying documents were accessible without the appropriate security controls from May 9, 2017, to January 23, 2018.
The server was immediately reconfigured to its correct setting once the discovery was made, BJC explained. An investigation did not show that data was accessed, but the organization said it will be offering affected patients complimentary identity protection services out of an abundance of caution.
Information included copies of patient driver’s licenses, insurance cards, and treatment-related documents that were collected during hospital visits spanning 2003 to 2009. Additionally, patient names, addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, insurance information and treatment-related information may have been accessible.
QuadMed LLC notifies three separate orgs of potential data exposure
Occupational health and primary care services provider QuadMed LLC recently notified three separate organizations that certain health-related information may have been inappropriately accessed.
Hillenbrand clinics (and its subsidiary Batesville), Stoughton Trailers’ contractors (including prospective, current and former employees and certain dependents), and Whirlpool Corporation’s Clyde, Ohio location all may have been impacted.
QuadMed became aware of a possible technical issue on December 26, 2017, the notification letters stated. It was consequently determined that certain employees at those three locations may have been able to access more information than should have been permitted.
When QuadMed took over onsite clinics at the locations, it was “agreed that occupational health-related information would continue to be stored in a shared occupational health electronic records system to allow certain authorized [company] employees the access needed for administration of occupational health matters.”
Potentially accessed data may have included names, date(s) of services or treatment at the onsite clinic, and medical information, such as test or evaluation results, diagnoses, and information related to medical history, examinations, physicals, screenings, vaccinations, travel medicine, and/or workers’ compensation information.
QuadMed said that along with each involved organization, it has “implemented new administrative and technical controls to protect health information in the occupational health electronic records system. In addition, employees have been re-educated on HIPAA’s requirements for protecting health information.”
The OCR data breach reporting tool lists two incidents, one impacting 2,834 individuals and another saying that 2,471 were affected. Both are listed under QuadMed, so it is not clear which organization is attributed to each.
Stolen laptop may have contained certain health information in CA
California College of the Arts (the College) is notifying 2,581 California residents that some of their information may have been exposed following the theft of an employee’s laptop.
The laptop was stolen out of the employee’s vehicle on January 19, 2018. Files on the laptop may have contained some combination of an individual’s name, Social Security number, date of birth, subscriber member number and/or health insurance information.
“The user’s passwords were changed to prevent access to the College’s computer systems,” the College said in documents submitted to the California Attorney General’s Office. “The College also began to monitor for signs that the laptop was active to remotely wipe the device. To date, the College has not seen any signs that laptop has connected to the internet.”
Individuals will also be offered one year of free access to credit and identity monitoring services, including identity restoration services.
The submitted media notice, letter to parents or guardians of students at the College, and another notification all state that subscriber member number and/or health information were involved. However, a copy of the letter sent to potentially affected individuals only states that names and Social Security numbers were involved.
Additionally, the OCR data breach reporting tool states 623 individuals were affected in an incident attributed to the College.
Employee email accounts accessed at physical therapy org
Employee email accounts were accessed without authorization between January 9, 2018 and January 12, 2018, which may have led to certain patient information being accessed as well, according to an ATI Holdings, LLC statement.
The physical therapy organization said it became aware of the issue on January 11, 2018, when it realized that certain employees’ direct deposit information was changed in its payroll platform.
Patient information that may have been contained in the accessed email accounts included names, dates of birth, driver’s license or state identification numbers, Social Security numbers, credit card numbers, financial account numbers, patient identification numbers, Medicare or Medicaid identification numbers, medical record numbers, diagnoses, disability codes, treatment information, medication/prescription information, doctor’s or therapist’s names, billing/claims information, and/or other health insurance information.
Potentially affected individuals will receive access to free credit monitoring services, ATI said.
“We have ensured that all employees identified as impacted changed their passwords,” the company continued. “We are taking additional actions to strengthen the security of our email systems moving forward, as well as providing additional training to users and employees on how to identify phishing scams. We continue to monitor our systems to better protect the privacy and security of your personal information.”
The statement did not reveal how many individuals may have been impacted by the incident.