Healthcare Information Security

Latest Health Data Breaches News

Stolen, Unencrypted Drive Causes Data Security Concern for 15K

Recent potential healthcare data breaches include a stolen unencrypted jump drive, a large-scale fraud scheme, and a ransomware attack.

Health Data Breaches.

Source: Thinkstock.

By Kate Monica

- Western Health Screening (WHS) recently issued a letter notifying individuals of a possible data security breach in which a WHS-owned vehicle containing an unencrypted jump drive was stolen.

The jump drive contained the personal information of 15,326 patients, according to the OCR data breach reporting tool.

The vehicle was passing through Salt Lake City, Utah on its way to a health fair at the time of the incident.

WHS immediately launched an investigation and determined on February 15, 2017 that the jump drive was unencrypted.

The jump drive contained health fair participant demographic information of health fair participants from 2008 to 2012. The data included names, addresses, phone numbers, and some Social Security numbers.

READ MORE: Kentucky Health Center Ensures PHI Security After Email Gaffe

The healthcare organization reported the incident to the Salt Lake City Police Department. While the jump drive has not been recovered, the investigation is ongoing.

WHS stated the stolen drive is password protected and does not contain any medical information, such as blood test results, or financial information.

The organization presently has no evidence to suggest any participant information has been misused.

To mitigate further issue, WHS is offering free credit and identity monitoring to any concerned patients for one year.

Ransomware attack impacts over 9K patients

READ MORE: NY Computer Virus Raises Healthcare Data Security Concerns

On February 7, 2017, Cardiology Center of Acadiana (CCA) suffered a ransomware attack on the practice’s encrypted server.

The hacked server contained patient names, addresses, dates of birth, billing information, clinical data, images, and Social Security numbers. The OCR data breach reporting tool states that 9,681 individuals were potentially affected.

To date, the practice stated it has no evidence any information has been misused.

CCA upgraded its antivirus software and closed all external points potentially targeted during the attack to prevent further problems. Additionally, CCA reported the incident to the FBI.

BioReference employee terminated after improper data disposal

READ MORE: 55K Potentially Affected by Virus Encrypting Pediatric Servers

BioReference Laboratories, Inc. recently discovered a security incident in which one of its employees improperly discarded documents in a dumpster in Davenport, Florida.

The employee was instructed to shred and properly dispose of the documents as they contained sensitive patient PHI. The records included information such as patient first and last names, dates of birth, medical record numbers, Social Security numbers, insurance information, and more.

According to the OCR data breach reporting tool, approximately 1,772 patients were potentially impacted by the incident.

At this time, BioReference stated there exists no evidence suggesting any patient information has been misused in any way.

BioReference has since recovered the records and terminated the employee responsible for the security issue.

The organization reported it will make all necessary changes to its security policies and retrain its staff accordingly.

BioReference is also offering free credit monitoring services to all concerned patients.

University of California exposes scheme to steal student health information

The University of California (UC) announced last week it discovered an instance of large-scale fraud targeting students through UC’s student health plan.

Individuals stole nearly $12 million from UC by writing fraudulent medical prescriptions in students’ names after illegally obtaining patient information.

University officials stated the scheme began around the fall of 2016.

UC intends to file for a temporary restraining order on Friday in Los Angeles County Superior Court to bar participants in the scheme from entering the university’s campus. Participants in the scheme stole patient information by posing as clinical trial and job recruiters at campus fairs and convincing students to provide personal information to enroll.

 “Our first priority is to our students,” Executive Vice President for UC Health John Stobo said in a statement. “This needs to be immediately stopped. We have identified nine different health care providers who prescribed medications to these students, likely without any indication of physical exams or even a physician-patient relationship.”

UC students were targeted through Facebook ads and were offered up to $550 in cash to participate in false clinical trials through a company called California Clinical Trials, LLC. Scheme participants then ordered medications using student information, which were sent by mail without pharmacist consultation.

“We are also concerned that the defendants appear to have convinced more than 500 students to part with sensitive personal information, which was then abused,” said UC Associate Vice President for Student Affairs Robin Holmes-Sullivan. “For this reason, in addition to pursuing the temporary restraining order, we are arranging identity protection services for all affected individuals.”

Most prescriptions were filled at pharmacies in Studio City and Chino, California, according to UC’s filed complaint.

The prescription drugs involved compound vitamins, often called convenience kits, which are generally low-cost medications billed to patients, their insurers, and government health programs for thousands of dollars per drug.

Over 600 prescriptions for three medications were written by a podiatrist and filled at a cost of over 1.7 million in a single day, according the court documents.

The university has not disclosed how many individuals were impacted in the incident.

UC is currently notifying all students whose personal information was abused during the scheme. The university is also cautioning students to remain skeptical of any individuals offering easy cash in exchange for information.

The university has involved law enforcement in criminal, civil, and administrative investigations. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks