- Kentucky-based Estill County Chiropractic (ECC) recently announced on its website that it had experienced a potential ransomware attack, where an unauthorized user installed malicious software that encrypted patient files.
ECC said that it immediately shut down the compromised system, replaced it, and “included additional security measures.”
“ECC worked diligently to restore files that contained patients’ health information, and also hired a computer consultant to help determine how this event happened,” the statement read. “ECC believes there were initial instances of unauthorized access to its system beginning January 6, 2017, ending with the encryption of files on January 17, 2017.”
The organization added that while there is no indication that patient data was taken or viewed, it cannot entirely rule that scenario out. Potentially accessed information included patient names, email addresses, phone numbers, addresses, dates of birth, Social Security numbers, clinical information, provider notes, diagnosis information, claims, and health plan numbers.
Potentially affected individuals will be offered complimentary credit monitoring services for one year.
The OCR data breach reporting tool states that 5,335 individuals were possibly impacted by the incident.
Email phishing incident leads to privacy incident in Washington
Washington University School of Medicine reported on its website that one of its employees responded to an email phishing scam, potentially allowing some patient information to be accessed.
The school said that it learned about the incident on January 24, 2017, where an employee responded to the phishing attack on December 2, 2016. Washington University explained that it secured the email accounts and began an investigation once it discovered what had happened.
“To help prevent such incidents in the future, we are reinforcing education with our staff and faculty of existing protocols and university resources regarding ‘phishing’ emails,” Washington University stated. “We also are reviewing enhancements to strengthen our business practices and user login authentication process.”
The investigation could not rule out the possibility that certain patient information may have been accessed, according to Washington University. The accessed employee email accounts may have included names, birth dates, medical record numbers, diagnosis and treatment information, other clinical information, and Social Security numbers in some cases.
The statement did not specify how many individuals may have been affected, and the OCR data breach reporting tool did not have the incident listed at the time of publication.
KY provider reports insider security breach
Kentucky-based Med Center Health announced on its website that a former employee accessed certain patient billing information without authorization.
An internal investigation on January 4, 2017 found that on two occasions the individual “obtained certain billing information by creating the appearance that they needed the information to carry out their job duties for Med Center Health.”
“The evidence we have gathered to date suggests that the former employee intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials,” Med Center Health explained in its letter, signed by CEO Connie Smith.
The individual reportedly obtained information in August 2014 and February 2015, using an encrypted CD and encrypted USB drive. The employee did not have any work-related reason to access the information.
Patient medical records were not accessed, Med Center Health stressed. However, the billing information included patient names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes, and charges for medical services.
Med Center Health added that not all patients were potentially impacted. Only certain patients who had been treated at The Medical Center Bowling Green, The Medical Center Scottsville, The Medical Center Franklin, Commonwealth Regional Specialty Hospital, Cal Turner Rehab and Specialty Care and Medical Center EMS between 2011 and 2014 may have been affected.
Law enforcement had requested that the organization delay its data breach notification process, the statement explained.
“We sincerely apologize for any concern and inconvenience this incident may cause you,” the letter read. “We continue to review the incident and to take steps aimed at preventing similar actions in the future. Those actions include re-enforcing education with our staff regarding our strict policies and procedures in maintaining the confidentiality of patient information.”
The Med Center Health statement did not specify how many individuals may have been affected.
1,200 N.C. patients impacted by accidental release of information
Several local North Carolina news sources are reporting that the Mecklenburg County Health Department inadvertently released patient information to news outlets in response to public records requests.
Approximately 1,200 individuals were affected, according to a WSOC report. The information was reportedly given out in response to media outlets requesting information on the Health Department's failure to notify women of abnormal Pap smear results.
"I am absolutely speechless with anger about how something like this could happen," said Mecklenburg County Manager Dena Diorio.
Diorio explained that the information was in a spreadsheet attached to an email, and that typically attachments with sensitive data are deleted before the IT department makes media copies. However, this email was overlooked.
Vice Chairman for the Mecklenburg County Commissioners Jim Puckett told Spectrum News that the irony of the situation is that the department was attempting to answer for one mistake, and in turn made a larger one.
“The County has contacted the outlets to recall the information and is confident that no protected information has been released to the public,” a department statement explained. “Mecklenburg County takes protecting private information very seriously and has multiple levels of security to keep this from occurring. That system failed in this instance, and the County will closely review the policy and procedures used to release information and to make sure this type of information is not released in the future.”