- Massachusetts-based medical equipment supplier Reliable Respiratory reported to OCR on Sept. 1 that a phishing attack exposed PHI on 21,311 individuals.
In a notice on its website, Reliable Respiratory said that on July 3 it discovered a breach of an employee’s email account that resulted from a successful phishing attack.
Based on an investigation by a third-party forensic specialist, the company determined that an unauthorized individual or individuals gained access to the employee email account between June 28 and July 2.
Information that may have been compromised included patient name, bank or financial account information, medical diagnosis, treatment information, medication/prescription information, driver’s license or state identification number, Social Security number, patient claim/billing information, date of birth, credit or debit card information, username and password, health insurance information, medical record number, and/or passport number.
Despite the scope of the information exposed, Reliable did not indicate that it would provide free credit monitoring services to victims.
Fetal Diagnostic Institute of the Pacific Hit By Ransomware Attack
Hawaii-based Fetal Diagnostic Institute of the Pacific (FDIP) reported to OCR on Aug. 30 that an attack on its network servers exposed PHI on 40,800 patients.
In a notice on its website, FDIP said that on June 30 it suffered a ransomware attack that encrypted patient records stored on its servers.
The healthcare provider hired a cybersecurity firm that was able to remove the ransomware and restore the data using backup files. The firm cleansed FDIP's computer systems, confirmed that no malware remained, and implemented additional protections to help avoid future incidents.
Data related to past and current patients, including full name, date of birth, home address, account number, and diagnosis, may have been viewed or removed from the servers by the attackers.
Carpenters Benefit Funds Reports Phishing Attacks Exposing PHI on 20K
Pennsylvania-based health plan Carpenters Benefit Funds of Philadelphia reported to OCR on Aug. 31 that an email hacking incident exposed PHI on 20,015 individuals.
In a media notice, Carpenters Benefit Funds said a phishing attack breached employees’ email accounts between April 23 and May 3.
Information that might have been compromised included fund participants’ full names, addresses, health insurance information, bank account information, medical treatment information, driver’s license numbers and/or Social Security numbers.
Carpenters Benefit Funds is providing free credit monitoring and identity theft restoration services to participants who might have had their Social Security numbers compromised.
Phishing Attack Exposed Personal Data on 1,411 Hopebridge Clients
Indiana-based Hopebridge reported to OCR on Aug. 31 that a phishing attack affected PHI on 1,411 individuals.
In a notice on its website, Hopebridge, an autism therapy center, said it discovered on July 19 that an unauthorized individual may have gained access to employees’ email accounts between March and July. Those accounts may have contained clients' financial information.
Hopebridge hired a third-party forensic firm to investigate the breach.
“Our investigation determined that some patient information may have been contained in the email accounts, including patients’ names and that they received services from, or were referred to, Hopebridge,” the notice said.
South Alamo Physician Leaves Practice with Patient List
Texas-based South Alamo Medical Group (SAMG) reported to OCR on Aug. 30 that a security breach exposed PHI on 2,180 individuals.
In a blog post, SAMG said it discovered on July 2 that a physician improperly took a patient list, including names, addresses, telephone numbers, and account balances, when leaving the practice.
“A physician group may not withhold information necessary for a departing physician to provide notice of the departure to patients the physician has seen in the last two years. However, in this instance, the information was taken, and although the physician had seen many of the affected patients in the past, in many other cases, the patients on the list had never been seen by the departing physician,” SAMG said in its blog post.
The practice said it had obtained a court order as part of an effort to prevent the physician from using the confidential information and to require the physician to return the list to SAMG.
United Methodist Homes Employee Sent PHI to Personal Email Account
United Methodist Homes, which operates senior living communities in New York and Pennsylvania, reported to OCR on Aug. 31 that an email hacking incident exposed PHI on 843 individuals.
In a notice on its website, United Methodist Homes said it discovered on July 13 that an employee emailed a spreadsheet to his personal email address with PHI on current and former residents of its Elizabeth Church and Hilltop campuses.
The spreadsheet included name and medical identification number of current and former residents, as well as the names, addresses, and phone numbers of the residents’ contact person(s) on file.
United Methodist Homes said it is providing 12 months of complimentary credit monitoring services to affected individuals.