- Quest Diagnostics recently announced that it became aware of a PHI data breach on November 28, 2016, that may have involved the information of 34,000 patients.
On November 26, 2016, an unauthorized third party accessed the MyQuest by Care360® internet application, according to a copy of the data breach notification letter.
Social Security numbers, credit card information, and insurance or other financial information were not involved. However, patients may have had their name, date of birth, lab results, and, in some instances, telephone numbers accessed.
“When the intrusion was discovered, we immediately took steps to stop any further unauthorized activity,” read the letter, which was signed by Quest Executive Director of Compliance Operations & Privacy Office Carl A. Landorno. “We are taking steps to prevent similar incidents from happening in the future, and are working with a leading cybersecurity firm to assist with our investigation and to further evaluate our systems. We have also reported the incident to federal law enforcement authorities.”
Quest added that there is no evidence that the PHI has been misused in any way, so there is no need for potentially affected individuals to take additional steps to protect themselves from the breach.
Ransomware attack affects Louisiana facility
Louisiana Health Cooperative, Inc. in Rehabilitation (LAHC) announced on its website that certain policyholders, members and subscribers may have been impacted by a ransomware attack on a company that did business with LAHC for reinsurance in 2013 and 2014.
Summit Reinsurance Services, Inc. (Summit Re) notified LAHC on October 24, 2016 that it had discovered a ransomware infection on a server on August 8, 2016.
After an investigation, it was determined that the affected server may consist of one or more of the following: member names, provider names, Social Security numbers, and health insurance information. Additionally, certain claim-focused medical records containing information such as diagnosis/clinical information that Summit uses as part of its stop-loss and reinsurance underwriting and consulting services, may have been involved.
The investigation is ongoing, but there is currently no evidence that the information was misused or attempted to be misused, Summit Re explained in its notification letter to LAHC.
“Nevertheless, we are providing you with this notice as information you (or an agent on your behalf) provided Summit was contained on the server under investigation,” stated the letter, which was signed by Summit President Mark Troutman. “Upon request, we will securely transfer a file identifying the potentially affected personal information affiliated with your plan.”
The OCR data breach reporting tool states that 8,000 individuals were potentially affected by this incident.
NJ physician reports likely ransomware attack
New Jersey-based Dr. Melissa D. Selke recently posted a data breach notification letter on her website about an incident that may have affected several thousand patients.
Selke reportedly discovered on October 6, 2016 that her information system had been infected with a virus that prohibited access to patient files. The system was quickly restored and an investigation was launched.
It was later determined on November 18, 2016 that an unauthorized third party introduced the virus onto Selke’s system.
Potentially affected data includes patients’ names, addresses, phone numbers, Social Security numbers, treatment and diagnosis information, driver’s license information, health insurance information, treating physician information, medical record number, and treatment date(s).
However, Selke explained in her letter that the third-party “viewed or took patient information stored on the server.”
“We take this incident, and patient privacy, very seriously,” Selke said in a statement. “We are taking steps to help prevent another incident of this kind from happening, and continue to review our processes, policies, and procedures that address data privacy.”
Approximately 4,200 individuals were impacted by this incident, according to the OCR data breach reporting tool.
While no protection services were offered, Selke encouraged affected individuals “to remain vigilant against incidents of identity theft and fraud.” Individuals should regularly review their financial account statements, credit reports, and explanations of benefits for suspicious activity, the notification letter said.