- On June 17, 2017, Medical Oncology Hematology Consultants, PA suffered a ransomware attack potentially impacting some patient EHRs on the practice’s server and computer workstations, according to an online statement.
The potentially affected files may have contained personal information including patient names, dates of birth, phone numbers, health information, and treatment information.
Upon discovering evidence of a ransomware attack, the practice launched an investigation to determine the extent of the damage and identify which patients may have been affected by the attack.
According to the OCR data breach reporting tool, the ransomware attack may have affected the information of 19,203 individuals.
“We also engaged third party experts to assist us in recovering the affected data, to help ensure that our systems were no longer subject to the ransomware, and to examine whether protected health information or personally identifiable information had been used, accessed, disclosed, acquired, or otherwise compromised by unauthorized parties,” Medical Oncology Hematology Consultants said.
In light of the incident, the practice has notified potentially affected patients of the breach and offered individuals one year of free credit monitoring services.
“We have reset our network passwords; restored our servers from pre-incident backups; reviewed and revised our document retention policies; retained a forensic expert to evaluate the incident, determine the source of the intrusion, and recommend additional preventative measures; conducted an email phishing test; provided additional data security training to our employees; installed an umbrella web filtering system; implemented a two factor login authentication system; consolidated our servers and systems to eliminate redundancies; and reevaluated our access privileges,” the organization explained.
Keylogger virus potentially impacts PHI of 10K patients
The Northeast Ob/Gyn Associates (NE OB/GYN) recently notified patients of a keylogger virus potentially affecting its network earlier this summer.
On July 6, 2017, the gynecology practice discovered a keylogger virus affecting its network and quickly removed it from the majority of its network computers and terminal servers by July 11, 2017. According to Northeast officials, the incident was completely resolved by July 13, 2017.
A later investigation found the keylogger virus was first installed on June 5, 2017.
Potentially impacted patients may include any individuals who paid for services with a credit or debit card between June 5, 2017 and July 11, 2017.
The potential breach may have affected 10,198 individuals, according to the OCR data breach reporting tool.
Credit card information, patient names, addresses, dates of birth, Social Security numbers, scheduling notes, current procedural technology, billing codes, and any information keyed into the NE OB/GYN system during the specified time period may have been affected.
“Any information that was not keyed into the system was not affected,” clarified a letter issued by NE OB/GYN officials. “Patient Portal information was not accessed at any point.”
NE OB/GYN sent letters to potentially affected patients whose information may have been exposed. Additionally, the practice is offering patients free identity protect services for one year, as well as a $1,000,000 insurance reimbursement policy.
“A variety of security measures were in place before this incident, including network filtering and security monitoring, firewalls, antivirus software and password protection,” stated the letter.
NE OB/GYN added that it implemented additional security safeguards to reduce the risk of similar threats to patient information in the future.
CVS Caremark mailing inadvertently exposes HIV-related patient information
CVS Caremark—a division of CVS Health—halted a mailing to Ohio patients last week about HIV-related medication after discovering a reference to HIV appeared above patient names in the window of envelopes issued to about 4,000 individuals.
On August 24, AIDS activist Eddie Hamilton of Columbus, Ohio sent local news source The Washington Blade an image of the envelope with a mention of HIV above his name in view of the envelope window.
“CVS Health places the highest priority on protecting the privacy of our patients and we take our responsibility to safeguard confidential patient information very seriously,” CVS Health spokesperson Michael J. DeAngelis told the Washington Blade.
The letters contained benefit information of participants in Ohio’s AIDS Drug Assistance Program (ADAP). ADAP uses federal funds to pay for HIV medication for low-income individuals without sufficient health insurance.
“A reference code for this assistance program included a series of letters and numbers (PM 6402 HIV) that were visible within the envelope window,” DeAngelis told the news source. “This reference code was intended to refer to the name of the program and not to the recipient’s health status.”
DeAngelis maintained no protected health information was exposed in the potential breach, and that CVS Caremark is taking steps to eliminate the reference in future mailings.
Hamilton stated he has been instructing Ohio ADAP clients to contact the ADAP coordinator in the state to report the potential breach of privacy. Additionally, Hamilton has filed a complaint to OCR.
CA Phishing attack compromises employee email account
An employee email account was recently compromised at Community Memorial Health System (CMHS) in Ventura, California as a result of a phishing attack, according to a Pacific Coast Business Times article.
The employee discovered the email account had been hacked after noticing irregularities in their account and immediately notified CMHS officials.
CMHS officials launched an investigation into the incident to determine whether any personal patient information had been accessed or misused through the affected account. Additionally, the health system hired a forensic consultant to determine if any data had been breached.
According to the forensic consultant, there was no evidence to suggest any personal patient information had been misused or leaked.
The information of about 959 individuals was contained within the impacted employee email account. Patient information included names, CMHS medical record number, and some other health information.
Additionally, several patient Social Security numbers were contained within the email account, but CMHS officials stated no bank account or credit or debit card information was included.
Health system officials added they will notify all potentially affected individuals and disable all external access to the CMHS email system. CMHS also plans to deploy additional alerts and monitoring tools to avoid similar incidents in the future.