Healthcare Information Security

Latest Health Data Breaches News

Saint Thomas Health Data Breach from Misplaced Documents

Recent potential health data breaches include an instance of misplaced documents, a ransomware attack, and an online error resulting in document delivery to the wrong medical facility.

Data Security

Source: Thinkstock

By Kate Monica

- In April, Saint Thomas Health discovered a potential health data breach involving patient information at its facility in Murfreesboro, Tennessee.

The breach potentially impacted 2,859 Saint Thomas patients, the organization said in an online statement.

Hospital documents belonging to Saint Thomas Rutherford Hospital were found along a remote, rural road in DeKalb County.

The misplaced documents contained information including patient names, dates of birth, admitting diagnoses, account numbers, and physician name.

However, an investigation into the incident revealed the documents did not contain any patient Social Security numbers or patient medical records.  

READ MORE: Airway Oxygen Ransomware Attack May Affect PHI of 500K

The reports contained a small sample of patient census logs taken throughout 2009 and 2010.

Presently, investigators have not revealed the identity or identities of individuals responsible for the incident.  

“Protecting the privacy of our patient’s information is always a top priority for us at Saint Thomas Health and Ascension,” said Corporate Responsibility Officer and Corporate Privacy Officer of Saint Thomas Health Cynthia Figaro. “Once we were made aware of this breach, we immediately investigated the incident to ensure that no further disclosures were made. Based on our investigation, we do not believe that there is a financial risk to our patients. We sincerely apologize for this incident.”

 Saint Thomas has notified potentially impacted patients and hired a vendor to ensure all storage files are secure and accounted for before being destroyed.

The health system has also set up a call center to answer any questions concerned patients may have regarding the safety of their information.

READ MORE: Improper Disposal Creates PHI Security Concern for 1.8K

Potential ransomware infection hits Cleveland medical center, encrypts PHI

On April 21, 2017, Cleveland Medical Associates found that its computer network had potentially been infected by ransomware the previous night.

While information on the computer had been encrypted and locked, Cleveland Medical said in a statement posted to its website that no evidence exists to suggest patient data has been compromised.

Additionally, the ransomware infection has not impacted the medical center’s ability to care for its patients.

In response to the incident, Cleveland Medical implemented a new medical records system and analyzed its security procedures in an effort to avoid similar incidents in the future. The medical center also hired a forensic investigation firm to determine which patient information was potentially impacted by the event.

READ MORE: Online Security Breach Exposes PHI of 5K Medicaid Patients

According to Cleveland Medical, there is no evidence to suggest any patient’s PHI has been stolen or misused.

However, the investigation did not determine whether any individuals had gained unauthorized access to any patient PHI.

Information contained on the affected server included demographic information such as patient names, addresses, telephone numbers, email addresses, and Social Security numbers. Additionally, clinical information such as medical records, and other data such as insurance billing information were contained on the affected server.

Cleveland Medical notified potentially impacted patients of the incident and is providing concerned patients with free identity protection services for one year.

The medical center has not revealed how many patients were impacted by the breach.

Experian Health security breach potentially impacts Southern Illinois Healthcare

Two of Experian Health’s electronic platforms recently experienced an error resulting in the delivery of certain Southern Illinois Healthcare (SIH) patient information to incorrect medical facilities.

Experian Health notified SIH of the potential breach on April 28, 2017, SIH said in its data breach notification letter.

According to Experian Health, the breach likely occurred between February 13 and March 13, 2017 during a server migration project as a result of an isolated error.

Misdirected data included dates of birth, gender, addresses, Medicare ID/HIC numbers, insurance information, and Medicaid case numbers.

Experian Health stated the information would have only been viewed or saved by another covered entity governed by HIPAA and subject to the same privacy requirements as SIH, and not the general public.

Upon discovering the error, Experian Health identified the cause of the error and corrected the problem.

SIH also conducted its own investigation into the incident and verified that Experian Health has fixed the error.

The health system has offered free identity protection services for two years to all SIH patients that may have been affected.

Additionally, SIH set up a call center to answer any additional questions potentially impacted patients may have regarding the incident.

Aetna inadvertently exposes patient information of Ohio, Texas residents

The patient information of 1,708 Ohio residents with Aetna insurance was recently exposed online for a period of time.

"The information available online generally included first name, last name, Aetna member identification number, provider information, claim payment amount, and in some cases procedure/service codes and dates of service,” said Aetna in a statement in Metro News

The insurance provider said in May that the potential breach occurred as a result of two computer services displaying documents and intended recipients.

To resolve the issue, Aetna blocked search engines from displaying any information contained in the documents.

Aetna stated it is notifying patients of the incident and setting up a toll-free call center to answer any questions concerned patients may have.

Aetna added there currently exists no evidence suggesting any patient information was misused in any way.

Additionally, no patient Social Security numbers were exposed in the breach.  

A similar incident also potentially impacted the information of 522 Texas residents receiving health insurance through Aetna, according to a Statesman report.

As with the breach in Ohio, this incident also involved patient names, Aetna member identification numbers, provider information, claim payment amounts, and sometimes service codes and dates of service. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...