- RISE Wisconsin reported June 7 to OCR that it suffered a ransomware attack in which PHI on 3,731 individuals may have been exposed.
In a press release, RISE said that patient names, addresses, dates of birth, Social Security numbers, and some health information may have been accessed by the attackers.
RISE said that it discovered on April 8 that it had been the target of a ransomware attack and took its systems offline. It then engaged a forensics expert and notified law enforcement.
RISE said it is offering free identity protection services to those impacted by the attack. The provider did not say whether it paid the ransom to get access to encrypted files.
“We take the security of all information very seriously and want to assure everyone that we have taken steps to prevent a similar event from occurring in the future. This includes restricting access to our network and increasing staff training regarding information security,” RISE said in its release.
Aflac Says PHI of 10K Clients May Have Been Exposed
Aflac reported to OCR May 29 that the PHI on 10,396 clients might have been exposed when an authorized third-party gained access to Microsoft Office 365 email accounts of its independent contractor insurance agents. These accounts were on a business email system hosted by a third party.
“Data analysis, which was completed April 25, 2018, showed that some of the email accounts may have included HIPAA protected health information (PHI) and other personally identifiable information (PII),” Aflac said in its notice.
“We immediately instituted multiple robust controls to mitigate and remediate the activity, including resetting passwords, isolating the specific email accounts and contacting the affected insurance agents,” Aflac added.
Information that might have been exposed included names, home addresses, dates of birth, policy/certificate numbers, group numbers, type of policy, Social Security numbers, bank account information, and some general health information.
Aflac said it will offer free credit monitoring to individuals who had their Social Security, bank account, or credit card numbers exposed.
HealthEquity Cops to Employee Email Breach
Michigan-based health savings account provider HealthEquity announced June 12 that an unauthorized individual had accessed an employee’s email account, which may have resulted in PHI disclosure.
The PHI at risk included names, emails, HealthEquity member IDs, employer names, HealthEquity employer IDs, healthcare account types, deduction amounts, and Social Security numbers.
HealthEquity informed OCR that 16,000 individuals may have been affected by the breach.
The security incident occurred on April 11, and HealthEquity discovered the breach on April 13. The unauthorized individual’s access to the mailbox was terminated, and an investigation was begun to determine the nature and scope of the event.
HealthEquity engaged a prominent data security forensics firm and confirmed that only one employee email account was compromised.
HealthEquity said it is offering free identity theft and credit monitoring services to all who were impacted. Law enforcement was notified, and the company has enhanced the security of its email systems and retrained its employees.
Update: This article has been updated to include the number of individuals affected by the HealthEquity breach.
Terros Health Phishing Attack Exposes Data on 1,600 Patients
Arizona-based Terros Health had a data breach affecting 1,600 patients, KJZZ reported June 8. An unauthorized third party gained access to an employee’s email account through a phishing attack.
Information that may have been exposed included patients’ first and last names, dates of birth, addresses, and medical records. In about 140 of the cases, a Social Security number was also accessed.
“We have never had a breach of this magnitude in our history,” said Terros Health COO Karen Hoffman Tepper.
“We’re in the process right now of evaluating and doing some additional things in terms of enhancing our policies and procedures and our training to ensure that this doesn’t happen again,” she added.