- Valley Hope Association, a Kansas-based non-profit that provides drug and alcohol addiction treatment, recently announced a data security breach after a work-issued laptop containing patient information was stolen from an employee’s car on December 30, 2015.
In a recent statement on their website, Valley Hope Association acknowledged that sensitive patient information is potentially at risk. The affected information includes patient names in conjunction with one or more personal information identifiers, such as Social Security number, dates of birth, addresses, phone numbers, state identification or driver’s license numbers, physician name, treatment and treatment location, diagnosis, medical record numbers, disability code, usernames and passwords, tax identification numbers, patient account information, health insurance information, financial information, and medical information.
“The employee reported the theft to Valley Hope Association on December 30, 2015, and we immediately launched an investigation to determine the precise contents of the laptop at the time of the theft,” Valley Hope Association confirmed.
“We also disabled the laptop’s network connection capabilities, disabled the employee’s access credentials, and confirmed that our network systems were not accessed by the laptop since the employee’s last valid access before the laptop was stolen.”
Valley Hope Association added that third-party forensics experts have been brought on to help “confirm the nature and scope of this incident.”
The statement did not disclose how many individuals were affected by the security breach, however the OCR data breach tool reported that 52,076 individuals were possibly affected.
Valley Hope Association mailed data breach notification letters about the incident to all potentially affected individuals. All of those individuals will also receive free credit monitoring and restoration services for one year.
Other recent healthcare data security breaches included incidents of an unencrypted email and a stolen hard drive.
Unencrypted email creates potential data breach at St. Louis ACO
According to a statement by BJC Healthcare Accountable Care Organization (BCJ ACO) in the St. Louis area, an unencrypted email was sent to a participating medical practice in the BCJ ACO.
BJC ACO disclosed that 2,393 patients were possibly affected by the data security breach.
The statement reports that on December 30, 2015, an email was sent containing patient information without the necessary security encryption.
The email contained patient names, gender, dates of birth, and Medicare beneficiary identification numbers. Medical information was not sent via email.
“BJC ACO investigated the email transmission and has discovered no indication that anyone other than the intended and authorized recipient at the medical practice read or accessed the email. BJC ACO has taken steps to re-educate staff on the process for sending emails in a secure manner,” the statement confirmed.
BJC ACO mailed a letter explaining the security breach to all individuals who may be affected. They also included information on how to sign up for identity theft protection.
Hard drive stolen at Illinois hospital
Freeport Memorial Hospital (FHN) recently announced that on December 30, 2015, a computer hard drive containing patient information was stolen from an FHN employee’s office that was in a “secure nonpublic area.”
The hard drive contained internal reports and spreadsheets with patient data. The information potentially exposed includes names, phone numbers, addresses, dates of birth, ethnicity, email addresses, medical record numbers, FHN patient identification numbers, patient encounter numbers, Social Security numbers, dates of service, procedures, billing codes, examinations, diagnoses, names of physicians, health insurance information, medication information, and dates of discharge.
FHN confirmed that the hard drive did not contain medical records.
“Additionally, in order to protect against future similar incidents, FHN's information security professionals - together with an external consulting firm - are working to implement new security measures, such as enhanced network monitoring and extending computer encryption procedures to include devices that are stored in physically secure areas,” FHN stated.
FHN did not disclose how many individuals may have been affected, however the OCR data breach portal reports 1,349 individuals may be at risk.
FHN contacted all individuals whose information was on the hard drive. FHN advised tracking financial and health insurance information for potential identity theft. FHN applied an internal alert on all of the medical records that were contained on the hard drive.