- Unauthorized access to employee email accounts may have led to a PHI data security incident at Primary Health Care Inc. (PHC), according to an organization statement.
PHC discovered the access to four employee accounts and the related Google Drives on March 1, 2017, and said the accounts had been accessed on February 28, 2017. The unauthorized access was “immediately terminated.
An investigation did not determine whether or not patient information was accessed, but PHC said that the email accounts may have included PHI.
The report submitted to OCR said that 10,313 individuals may have been impacted.
A combination of patient names, phone numbers, Social Security numbers, driver's license numbers, financial account numbers, credit/debit card numbers, dates of service, diagnoses and treatment information, medical history, facilities and providers visited, health insurance/payor information and, if applicable, Medicaid identification number may have been involved.
“The confidentiality, privacy, and security of patient information is one of PHC's highest priorities,” PHC stated. “PHC has stringent security measures in place to protect the security of information in its possession.”
“In addition, as part of our ongoing commitment to the security of protected health information in its care, PHC is working to implement additional safeguards and security measures to enhance the privacy and security of information on its systems,” PHC continued.
The organization added that it will be offering 12 months of identity protection services to potentially affected individuals.
Ransomware attack hits NY organization
New York-based Finger Lakes Health reportedly was impacted by a ransomware attack, but there is no indication that patient or employee information has been compromised.
The organization said the incident was brought to its attention around midnight on March 18, 2018. Specific electronic systems were encrypted and Finger Lakes was told it would need to pay money to gain back access.
“We immediately implemented our manual downtime protocol and procedures which we have practiced for circumstances when computer access is limited,” the Finger Lakes statement read, according to multiple local news sources. “We, like many other health systems and businesses, have prepared for this inevitability due to the increase in these types of incidents.”
Finger Lakes added that it is working with local law enforcement and security professionals to return to normal operations as soon as possible, and that patient and resident care are “at the center of [its] decisions.”
MS hospital reports email error possibly exposed patient info
Memorial Hospital at Gulfport discovered through a routine internal audit that an inadvertent email may have exposed patient information.
Patient names, internal (Memorial) encounter number(s), and medication(s) used during any visit to the Cath Lab from August 2017 to December 2017 may have been involved. Financial information, Social Security numbers, diagnoses, symptoms, and other demographic information were not disclosed.
A clerical error reportedly led to a single, external email address receiving information, Memorial said in its notification letter that was signed by President and CEO Gary Marchand, MPH.
“The error was immediately corrected upon discovery,” Marchand wrote. “The information sent by email was encrypted and would require a unique password to open. Additionally, Memorial has been unable to confirm whether the email address was operational, or whether the information was received by the unintended recipient.”
The OCR data breach reporting tool states that 1,512 individuals may have been impacted.
The statement said Memorial “will continue to use its best efforts to prevent any unintended disclosures in the future.”
Vendor reports unauthorized web server access
Third-party contractor FastHealth Corporation received a notice from law enforcement on November 2, 2017 that “an unauthorized third party may have accessed or acquired certain information from FastHealth databases,” according to a statement posted on the Vermont Office of Attorney General site.
An investigation revealed that unauthorized access to a web server happened in mid-August 2017, and that information may have been acquired.
The letter did not specify the potentially acquired information, other than individuals’ names.
“To help prevent this type of incident from occurring again, we are implementing a new encryption solution for sensitive personal information that we store and maintain, and are strengthening our data protection and security protocols,” the letter explained.
The OCR data breach reporting tool states that 1,345 individuals may have been impacted.
Potentially affected individuals will also be offered complimentary identity monitoring services for one year, which indicates that more than individuals’ names were likely involved.
The sample letter was also missing specific data and had place holders, such as where contact phone numbers and other information were meant to be placed.
Lost disc with PHI impacts health and human services provider
National Mentor Healthcare, LLC (d/b/a Georgia MENTOR) announced a potential data breach stemming from a lost unencrypted disc containing certain patient information.
Georgia MENTOR discovered on December 21, 2017 that the disc appeared to have been lost in the mail. A third party software vendor had sent the disc.
There is no evidence that the information has been misused, but potentially impacted individuals will still receive a notification about the incident. Georgia MENTOR also urged individuals to “review financial statements, monitor credit reports and report suspicious activity to the institution with whom the information is shared.”
Names and medical information, and one individual’s Social Security number were on the unencrypted disc.
“Georgia MENTOR takes seriously its responsibility to safeguard the confidentiality, privacy and security of information in our custody,” the organization stated. “We have security measures in place and are taking additional steps to enhance data security going forward. We regret that any information was put at risk.”
Georgia MENTOR did not state how many individuals may have been impacted, and there was not yet a report submitted to OCR at the time of publication.