- On May 15, 2017, UC Davis Health suffered a potential security breach when a phishing email was sent to an employee.
Through the phishing email, hackers gained access to the employee’s account and posed as the account owner to send emails to other UC Davis Health employees on May 17.
UC Davis staff recognized the scam when the hackers used the account to make fraudulent requests for large sums of money. Staff members immediately secured the account to prevent further problems.
Following the incident, the health system sent letters notifying about 15,000 potentially impacted patients of the breach and stated there is no evidence to suggest any personal or medical patient information was accessed or acquired.
The affected employee email account contained patient information including names, addresses, and phone numbers. Additionally, some patient medical record numbers, diagnoses, and Social Security numbers were contained within the account.
Due to the sensitivity of the information, the health system is offering identity and credit protection services to potentially impacted patients.
UC Davis Health stated it is evaluating the security measures in place to find any areas in need of additional protective measures.
The health system added it will be notifying relevant government agencies of the breach, including the California Department of Public Health, the California Office of the Attorney General, and OCR.
Walnut Place discovers second ransomware attack
Walnut Place discovered the second ransomware attack the same day it occurred, and immediately expanded its investigation to determine the full scope of the additional incident.
Based on its investigation, Walnut Place stated there exists no evidence to suggest any information from the impacted systems was viewed or misused in any way.
However, the senior living community did determine that unauthorized individuals had accessed its systems containing personal information.
The first observed instance of unauthorized activity occurred on December 19, 2016, and the last occurred on May 8, 2017.
Potentially impacted information includes patient names, Social Security numbers, driver’s license numbers, dates of birth, address information, telephone numbers, medical record numbers, payment information, health insurance information, and clinical information related to Walnut Place residents and patients.
As a result of the incident, Walnut Place notified potentially impacted individuals of the event and enlisted the help of a third-party forensic investigator. The senior living community has also notified the FBI and said the investigation is ongoing.
Walnut Place has set up a call center to answer any questions potentially impacted individuals may have regarding the incident. Additionally, the senior living community has provided patients with one free year of credit monitoring services in an effort to mitigate any further damage.
Walnut Place did not reveal how many patients or residents were potentially affected by the second incident.
University of Iowa Health Care suffers potential security breach impacting 5.3K
University of Iowa Health Care (UIHC) recently notified 5,300 patients of a potential security breach in which some patient PHI was posted online for two years.
In May 2015, the names, dates of admission, and medical record numbers of some UIHC patients was erroneously saved in unencrypted files and posted online in a publically accessible manner through an application development site.
“An employee used this open source programming tool as part of an application development for UI Health Care operations,” UIHC Spokesperson Tom Moore told The Gazette. “The files were not made private and were left on the site after the work was completed.”
The breach was discovered on April 29 and immediately reported to a UIHC privacy officer.
“As soon as we found out the files could be seen by nonusers, we moved to take them down,” Moore said. “On May 1, they were no longer posted on the web.”
As a precaution, UIHC issued notices to all potentially impacted patients on June 22.
UIHC stated no clinical or financial information was accessible online during the breach.
The healthcare facility has since conducted a full investigation into the incident and strengthened its security measures to prevent similar incidents from occurring in the future.
Some efforts to improve security measures include tightening the process for developing and managing custom databases, educating staff regarding information storage, and enhancing employee training around data privacy.
Menlo Park dental practice suffers ransomware attack
On June 2, 2017, the Menlo Park Dental Practice offices of Dr. Douglas Boucher, DDS and Dr. Andrea Yaley, DDS received a ransomware notice.
Menlo Park believes the hacking occurred on or around May 19, 2017.
Officials immediately launched an investigation into the incident and contacted local and federal authorities to determine the extent of the incident.
Additionally, the dental practice shut down all of its computer systems and implemented additional security measures to further deter future attacks.
Menlo Park stated it was able to restore all of its patient health records from backup systems.
The hacker gained access to Menlo Park’s email system and may have viewed patient dental health records, according to the dental practice’s investigation.
Menlo Park’s email system contains information including patient email addresses and contact information. The patient dental health records contain information such as patient names, home addresses, dates of birth, Social Security numbers, and clinical information.
The practice stated it does not know whether the hacker has acquired or misused any patient information from dental health records, but emphasized it may be possible.
The practice is also offering free credit monitoring services to all potentially impacted patients to mitigate further damage.
Menlo Park added it is assessing its IT practices and security policies, and is working with the Menlo Park Police Department, Sheriff Department, and FBI to identify and prosecute the hacker responsible.
The dental practice did not say in its notification letter how many patients were potentially impacted by the breach.
Baptist Medical Center South discovers missing hard drive containing patient information
On May 18, 2017 Baptist Medical Center South discovered a backup hard drive used for EEG testing was missing from an EEG room.
The medical center immediately launched an investigation into the incident and reviewed what information may have been included on the drive.
Potentially affected information may include patient names, dates of birth, medical record numbers, physician orders, diagnoses, reasons for study, room numbers, and images taken during tests.
According to the OCR data breach reporting tool, the information of 531 patients may have been impacted.
Presently, the medical center has not determined whether the drive was taken, borrowed, or disposed of inadvertently.
However, Baptist Medical stated the information contained on the drive would not be accessible without special software.
Additionally, the medical center said information on the drive did not include Social Security numbers or financial data.
Patients potentially impacted by the incident include only those who received EEG testing at Baptist Medical in 2015, 2016, and 2017.
Presently, there is no evidence to suggest any information contained on the hard drive has been viewed or misused in any way.
To mitigate potential problems, the medical center has issued notices regarding the incident to all affected patients as of June 30, 2017.
“We deeply regret any inconvenience or concern this may cause our patients,” Baptist Medical said in its online statement. “To help prevent something like this from happening in the future, we have reinforced and enhanced our current security practices along with re-educating staff in EEG.”