- A programming error that occurred during the preparation process for mailing out certain IRS tax forms may have led to documents being sent to the wrong recipients, creating a data security concern for some individuals, according to SAMBA Federal Employee Benefit Association (SAMBA).
SAMBA is a federal employee benefit association, and also offers coverage to eligible family members of subscribers.
The organization said in a statement that the process to send out Form 1095-B’s to plan subscribers for the 2017 tax year began on February 19, 2018. Subscribers’ Social Security numbers were reportedly not disclosed in the incident.
However, SAMBA also explained that “some subscribers received a Form 1095-B containing the name and Social Security number for one or more family members of another plan subscriber.
“All subscribers received a Form 1095-B that was erroneously dated 2016,” SAMBA said. “SAMBA became aware of the issue on or around February 22, 2018. SAMBA corrected the programming error and mailed corrected 2017 Form 1095-B notices to all subscribers. The incorrect 2016 Form 1095-B notices were not submitted to the Internal Revenue Service.”
There is no indication that any information has been misused. SAMBA said it has still sent letters to subscribers who have “received erroneous” data, asking them to destroy the Form 1095-B’s in question.
The submitted report to OCR states that 13,942 individuals may have been impacted.
Those who were potentially affected will also be given free credit monitoring and identity restoration services.
Information made publicly available on provider database
Two spreadsheets stored on a database were publicly available online because of a problem with the Arc Erie County New York’s (The Arc) website, according to a company statement.
The exposure took place approximately from July 2015 to February 15, 208, and may have impacted about 3,700 individuals.
A website coding error likely caused the exposure, The Arc stated. The defective link was deactivated and removed from the website.
The Arc said it is “working with a data security firm and various internet search engine providers to ensure removal of any information that might remain available through the internet.”
Additionally, The Arc is assessing its data security for further vulnerabilities and is reviewing and updating its policies, practices, and training.
The statement did not specify what information was on the spreadsheets and may have been available for public viewing. Individuals who were involved in programs offered by The Arc in that timeframe may have been affected.
Hospital data breach stems from improper document disposal
Georgia-based St. Francis Hospital reported to OCR that 1,412 individuals may have been impacted in an incident of improper document disposal.
St. Francis said administrative documents that were meant to be shredded were “inadvertently picked up and improperly disposed of with the Hospital's regular waste on January 14, 2018.”
The hospital became aware of the incident on January 15, 2018.
Documents may have contained patient names, dates of birth, Social Security numbers, addresses, diagnoses, account numbers, final bill dates, discharge dates, last payment dates, insurance balances, or account balances.
“St. Francis is taking this matter very seriously,” St. Francis explained in its online statement. “The Hospital conducted an extensive investigation and has been informed that the documents are likely deeply buried in a landfill within a secure facility and are unable to be retrieved. At this time, St. Francis has no reason to believe the documents were actually used by any unauthorized individuals.”
St. Francis added that it is re-educating all applicable staff on proper document management processes that are in according with hospital policies.
Free credit monitoring will also be offered to individuals who were potentially affected.
Former dermatology organization employee gains access to patient data
A recently terminated Front Range Dermatology Associates, PC (FRDA) employee acquired a six-month cost report that contained certain patient PHI, according to a company statement.
The former employee received the report from another employee. The report “listed patients seen in the clinic by the former employee for whom payment was received in that six month period.”
The OCR data breach reporting tool states that 1,070 individuals may have been affected.
Patient full names, FRDA medical record numbers, dates of services, CPT billing codes for the types of services provided, the names of insurance companies (or indication if a patient paid out of pocket), and the dates and amounts of payments were included in the cost report.
Social Security numbers, addresses, dates of birth, insurance ID numbers, credit/debit card numbers or any bank account information were not involved, FRDA said.
“FRDA investigated the incident and promptly terminated the employee who inappropriately provided the cost report to the former employee,” the organization explained. “FRDA demanded in writing that both former employees delete and destroy all copies of the report containing patients’ information.”
“FRDA believes that the report was taken by the former employee to attempt confirmation of compensation owed or for future contact with patients at a different medical practice.”
Additional restrictions on access to reports in FRDA’s computer system were added, and the organization said it is providing additional mandatory employee training on patient data privacy and security.
Even though Social Security numbers were not in the report, FRDA said potentially affected individuals will be offered free online credit monitoring services.
Another provider reports data breach from missing unencrypted disc
CareMeridian, LLC is seemingly another organization that was impacted by a third-party software provider sending an unencrypted disc in the mail, which was then lost.
CareMeridian said that it discovered on December 21, 2017 that the disc appeared to have been lost in the mail. Patient names and limited medical information were on the disc, as well as Social Security numbers of 13 individuals.
“CareMeridian is unaware of any actual or attempted misuse of the information, and emphasizes that it cannot confirm whether the information was actually accessed,” the organization statement read. “Nevertheless, we encourage affected individuals to review financial statements, monitor credit reports, and report suspicious activity to the institution with whom the information is shared.”
The CareMeridian statement is very similar to one from National Mentor Healthcare, LLC (d/b/a Georgia MENTOR).
Georgia MENTOR also discovered on December 21, 2017 that an unencrypted disc sent from a third-party software vendor had been lost in the mail. Individuals’ names and medical information were reportedly on the disc, with one individual’s Social Security number.
Stolen laptop creates PHI data security concern for testing laboratory
A Clinical Pathology Laboratories Southeast, Inc. (CPLSE) employee laptop was stolen on September 20, 2017, according to a CPLSE statement.
The device may have contained names, addresses, Social Security numbers, drivers’ license or government identification numbers, medical record identification numbers, and/or medical treatment information for certain CPLSE patients and their payment guarantors.
CPLSE said it disabled the device’s access to the CPLSE computer network. The organization has since increased its system security and networks “through the use of encryption technology.” CPLSE added that it has updated any relevant policies and procedure and has retrained staff members.
OCR states that 500 individuals may have been impacted by the incident.
MS Department of Health reports PHI breach from inadvertent email
A Mississippi State Department of Health (MSDH) employee “unknowingly emailed” a spreadsheet containing PHI to a contractor for the Centers for Disease Control and Prevention (CDC), according to an MSDH statement.
The email was sent on January 25, 2018, and was not meant to be sent to the contractor.
“Each person who mistakenly received the spreadsheet said they deleted all traces of the email from their inbox and did not share the email or what was in it,” MSDH said. “It is unlikely that the personal information was viewed by anyone. However, because this email was sent unprotected, there is a possibility that it was seen by someone who could misuse it.”
The spreadsheet contained PHI such as names, dates of birth, Social Security numbers or lab results.
Potentially affected individuals will be offered free credit monitoring protection for one year, MSDH stated.
MSDH did not specify how many may have been impacted, and at the time of publication a notice was not yet submitted to OCR.