- Texas Health Physicians Group recently disclosed that an unauthorized third party had gained access to some of its email accounts, resulting in a healthcare data breach that affected close to 4,000 patients.
The information that was accessed included names, medical record numbers, dates of birth, addresses, insurance information, clinical information, and, in some instances, Social Security numbers, driver’s licenses, and state identification numbers.
Texas Health Physicians Group reported to the Office for Civil Rights that the breach affected 3,808 individuals.
The healthcare provider said April 13 that it was informed of the breach on January 17, 2018, by law enforcement, which asked it not to inform patients while it was investigating the breach.
Texas Health said that its breach was part of a larger cyber incident affecting multiple entities across the United States.
MEDantex Web Portal Leaking Patient Records, Researcher Finds
The website of MEDantex, a Wichita, Kansas-based medical transcription service, was apparently leaking sensitive patient medical records of thousands of its physician customers, security researcher Brian Krebs reported April 23.
The portion of MEDantex’s web portal intended for use only by physicians to upload audio recordings of patients was open to the Internet, Krebs discovered.
In addition, no authentication was required to use MEDantex employee online tools, which enabled users to add or delete customers and search for medical records by patient name or physician.
MEDantex Founder and Chief Executive Sreeram Pydah told Krebs that the company had recently rebuilt its online servers after suffering a ransomware attack, and this appears to be the reason for the breach.
The website appears to have more than 2,300 physician customers, according to Krebs.
The company lists the following clients on its website: Allen County Hospital in Iola, Kansas; Cooper University Hospital in Camden, New Jersey; ExamWorks; Foundation Surgery Affiliates; Green Clinic Surgical Hospital in Ruston, Louisiana; Jackson Hospital in Montgomery, Alabama; Kansas Spine Hospital, Kansas Orthopaedic Center, and Wichita Clinic, all in Wichita, Kansas; Trillium Specialty Hospital in Mesa and Sun City, Arizona; NYU Langone Medical Center in New York, New York; San Francisco Multi-Specialty Medical Group, San Francisco, California; and Sunrise Medical Group, Miami, Florida.
Alabama Medical Lab Reports Theft of Laptop With PHI
American Esoteric Laboratories (AEL), an Alabama medical lab chain, reported the theft of an employee laptop that may have contained PHI on patients, according to an April 22 report by AL.com.
Information stored on the laptop included patients’ names, addresses, Social Security numbers, dates of birth, health insurance information, and medical treatment.
AEL said it disabled the employee’s email account and the laptop’s access to its computer network when it discovered the theft on October 15, 2017. It also reported the theft to the police.
AEL did not disclose how many patients may have been affected or why it took so long to publicly announce the data breach.
The company said it was now using data encryption, as well as updating relevant policies and procedures, and retraining staff.
Polk County Health Services Notifies 1,071 Patients of Data Breach
On April 13 Polk County Health Services began notifying mental health patients that their PHI was “accidentally and unknowingly disseminated” between June 1, 2014, and January 11, 2018.
The affected patients received services at its Crisis Observation Center in Des Moines, Iowa. Information that was disclosed included full names, home addresses, Social Security number, Medicaid identification number, and dates of admission and discharge.
Polk County Health Services notified the Office for Civil Rights that the breach affected 1,071 patients.
Polk County Health Services is the regional administrator and the governing board for mental health and disability services on behalf of Polk County, Iowa, under the Polk County Regional Mental Health and Disability Services Management Plan.
The administrator said it is providing free credit monitoring services for those affected by the breach for one year.
MedWatch Says PHI Leaked from Online Portal
MedWatch, a Florida-based care management company, reported April 13 an unidentified vendor misconfigured its online portal, which resulted in PHI of members being available to search engines from October 20 to December 15, 2017.
The patient information that was exposed included full names, dates of service, employer group health plan names, dates of birth, health insurance numbers, providers’ full names, and, for some members, Social Security numbers.
“Upon learning of the incident, we immediately secured the portal, requested the internet search engines remove all cached data related to this matter, and conducted an internal investigation to determine the root cause of the incident and to prevent the incident from reoccurring,” the company said in its notice. It also engaged a third-party security firm.
MedWatch said that it has no evidence that members’ PHI was misused. It did not disclose the number of affected members.