- Malware that infected a number of Florida Hospital websites may have created a PHI data security issue, the Orlando Sentinel reported May 2.
Patient information that could have been exposed includes patient names, email addresses, phone numbers, birth dates, height, weight, insurance carriers, and the last four digits of Social Security numbers, according to a news release cited by the newspaper.
Florida Hospital informed the Office of Civil Rights on May 3 that 12,724 individuals were affected.
The compromised websites were FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com.
“The scale of this exposure was limited, and it was confirmed that no financial records were affected,” Florida Hospital said in its news release quoted by the newspaper. “There is no evidence to suggest patient information has been misused, but in an abundance of caution, impacted individuals are being offered free online internet monitoring.” It added.
“All appropriate steps are being taken to address any vulnerabilities across our online networks. Patient medical records remain current, accurate and available in our electronic medical records systems,” according to the health system.
Knoxville Heart Group Admits to Data Breach Affecting 15K Patients
Knoxville Heart Group (KHG) said April 27 that it discovered February 26 that someone had gained unauthorized access to an employee’s email account and possibly accessed patients’ PHI.
The provider informed the Office of Civil Rights that 15,995 individuals were affected.
The information that may have been accessed included name, date of birth/death, address, email, telephone, medical information/test results commonly found in a medical record, and health insurance information. Some emails contained patients’ Social Security numbers, driver license numbers, financial account information, and user name and password.
KHG did not indicate in its announcement that it was providing credit monitoring services to those affected by the breach.
Maximus Notifies 1,100 Texas Families about Third-Party Data Breach
Maximus notified April 17 around 1,100 Texas families participating in the Medicaid and Children’s Health Insurance Program that a printing error at third-party vendor Business Ink resulted in some program participants receiving a letter that included personal information meant for another participant.
The information in the letters included names, addresses, group and case numbers, and program type, according to a copy of the notification provided to DataBreaches.net. The letters did not contain Social Security numbers, dates of birth, financial information, or information that could be used to access another person’s program account.
Business Ink accidently mismatched one page of a six-page letter and some participants received information intended for another participant. Maximus said it learned about the printing error on February 16, 2018, and promptly launched an investigation.
“After a thorough investigation, we have no reason to believe that the information contained in the letters has been misused. Business Ink has taken immediate action to strengthen its printing process,” Maximus Senior Vice President and Privacy Official Ira Rothman stated.
Maryland Provider Reports Cloud Data Breach by Third-Party Vendor
Maryland-based Capital Digestive Care (CDC) reported that a third-party vendor stored patient data files on a commercial cloud server without adequate security, according to an April 27 notification posted to the New Hampshire Attorney General’s Office.
The information was posted on Schedule a Visit and Contact pages on CDC’s website. The healthcare provider informed the vendor, who then secured the data files and investigated the incident. The vendor determined that the patient information exposed included name, address, telephone number, email address, date of birth, and potentially health information.
CDC stressed that no electronic medical records, Social Security numbers, financial account or payment transaction information were involved.
The healthcare provider did not disclose the total number of patients impacted, but did tell the state Attorney General that five New Hampshire residents were affected.
Oregon Clinic Employee Email Account Compromised by Hacker
Oregon Clinic announced May 9 that hacker gained access to an employee email account and may have accessed PHI on that account.
PHI that may have been compromised included names, dates of birth, medical record numbers, diagnosis information, medical condition, diagnostic tests performed, prescription information, and/or health insurance information. For a small number of patients, Social Security numbers also may also have been affected.
The specialty physician practice said it found out about the breach on March 9 and disabled the unauthorized access to the email account.
It hired an outside digital forensics firm to conduct an investigation, which concluded on April 19 that PHI had been affected by the breach.
Oregon Clinic said it was providing free credit and/or identity monitoring services for one year to those affected by the breach.