- West Virginia-based Coplin Health Systems recently reported a possible health data breach after it discovered that a laptop potentially containing personal health information was stolen.
The device was stolen from an employee’s automobile on or about November 2, 2017, the notification letter said, which was signed by Coplin Health Systems CEO Derek Snyder. The laptop was password protected but the hard drive was unencrypted.
Information possibly on the laptop included patient names, addresses, Social Security numbers, dates of birth, financial information, and health information.
“Among other actions, our IT department immediately disabled the affected employee’s access to our computer networks and has continuously monitored our computer networks,” Snyder wrote. “To date, no one has attempted to use the stolen laptop to access any of our IT networks. Nor have we received any information from law enforcement authorities or from any of patients that would suggest that any person’s personal information has been accessed or use improperly.”
The OCR data breach reporting tool stated that 43,000 individuals may have been impacted.
Snyder added that Coplin is taking precautions to ensure that the same incident does not happen again.
“We will ensure that our internal policies and procedures are being followed, and will review the security precautions in place to identify those areas in which security measures require supplementation,” he stated. “Further, any employee found violating these privacy standards will be subject to disciplinary action.”
FL Medicaid security breach involved info of 30K
Florida’s Agency for Health Care Administration (Agency) announced that one of its employees fell victim to a phishing email on November 15, 2017.
The Agency learned about the incident on November 20, 2017 and immediately reported it to the Inspector General. A review was then initiated and it is still ongoing, although preliminary findings were reported on January 2, 2018.
“Prior to the review, the employee changed their login credentials to stop inappropriate access,” the Agency said in its online statement, adding that up to 30,000 individuals may have been affected. “Although the review is ongoing, the Agency believes that only approximately 6 percent of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed.”
Along with partial or full Social Security numbers, potentially exposed data may include Medicaid enrollees’ full names, Medicaid ID numbers, dates of birth, address, diagnoses, and medical conditions.
The Agency does not believe that any of the data has been misused, but explained it will be offering individuals free identity monitoring and protective services for one year.
Along with an ongoing review to determine the breach circumstances, the Agency said it “initiated new and ongoing security training to ensure proper security protocol for all employees.” The Agency also “is exploring additional security options to protect against further breaches.”
Stolen hard drive at MA radiology lab impacts 9.3K
Charles River Medical Associates reported that a hard drive likely containing information on individuals who received a bone density scan at a radiology lab is lost. The hard drive possibly held data on individuals who received a scan at the facility’s Framingham lab in the last eight years.
OCR states that 9,387 individuals as possibly being affected.
The hard drive stored information dating back to 2010, including names, dates of birth, patient identification numbers, and bone density scan images.
Only information from the Framingham bone density lab was included on the hard drive.
The device had no encryption protections and was updated once per month with bone density records to back up the records, according to a Wicked Local report. Charles River associates told the news source that the drive was last seen in October 2017 and it was noticed missing in November 2017.
“There are no leads on where the hard drive went,” Charles River Medical Associates Executive Director Brian Parillo told the news source. “We’ve looked everywhere in the building, spoken to every person who works there and nobody knows.”
Parillo added that the company will no longer use unencrypted portable devices to store medical records.
“We’re taking all the steps necessary to make sure this doesn’t happen again,” Parillo said. “We’re doing a full audit of our hardware, re-training all the staff on privacy workflows.”
Possible OK Medicaid data breach reported
Oklahoma State University Center for Health Sciences (OSUCHS) announced on its website that unauthorized computer network access by a third party could have led to a Medicaid data breach.
OSUCHS said it learned of the incident on November 7, 2017 and removed folders containing Medicaid data from the network on November 8. It also terminated the third-party access and launched an investigation to determine whether the folders had been compromised.
The folders may have contained patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information. One Social Security number was on the server. OSUCHS stressed that the folders did not contain medical records.
The statement did not reveal how many individuals may have been affected.
“We have no conclusive indication of any inappropriate use of patient information,” OSUCHS stated. “However, out an abundance of caution, we began mailing letters to affected patients on January 5, 2018.”
OSUCHS added that it has since implemented additional security measures to protect patient data.
Paper records lost in transit creates data security incident
DJO Global reported that certain DJO Global Patient Product Agreement forms may have been lost in transit.
The incident likely affects individuals who received a DJO Global product from their doctor while being treated in the emergency room, Same Day Surgery Center or Urgent Care site at the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital, Las Vegas, Nevada.
The forms were likely lost in transit either between when DJO’s vendor picked up the form from the doctors or when the forms were dropped off at FedEx.
The forms may have contained individuals’ names, addresses, phone numbers, dates of birth, physician names, physician locations, product information, product order dates, dates of injury, diagnosis code(s), health plan information, and health plan identification number (which may incorporate Social Security numbers).
“As of today, we have conducted a thorough investigation and have uncovered no evidence that any patient information has been misused,” DJO explained in its online statement. “To ensure an incident like this does not happen again, we have implemented new quality controls in our mailing processes and retrained our vendor on the safeguarding of paper records containing protected health information.”
Individuals who received a DJO Global product from the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital between July 17, 2017 and October 16, 2017 may be eligible for a complimentary membership of identity protection services for one year.
DJO did not state how many individuals may have been affected.