- On February 27, 2017, the Diamond Institute for Infertility and Menopause discovered a potential data breach in which an unauthorized individual gained access to a third-party server containing patient EHRs.
While the patient EHRs and the database itself were both encrypted, officials stated some support documents may have been accessed.
To mitigate any potential damage, the New Jersey healthcare organization immediately launched an investigation into the incident.
Diamond Institute determined potentially viewed information included patient names, addresses, dates of birth, Social Security numbers, lab results, and sonograms.
Law enforcement stated two New Hampshire residents were impacted by the breach. However, the OCR data breach reporting tool cites 14,633 individuals potentially had their information exposed.
On April 28, 2017, Diamond issued advisory letters notifying potentially affected individuals of the incident.
The healthcare organization is changing all server passwords, updating its firewall and virtual private network credentials, and is closing inactive ports to avoid future incidents.
Additionally, Diamond is offering concerned individuals free credit monitoring and identity theft protection services for one year.
Stolen hard drive exposes 2.2K patients’ data
On or around March 6, 2017, a hard drive storing the personal information of 2,200 LSU Health New Orleans patients was stolen from the healthcare organization’s Department of Neurology Research.
LSU immediately enlisted the help of law enforcement to track down the stolen drive. While the police made an arrest on March 7, the hard drive has not yet been recovered, according to The New Orleans Advocate.
The hard drive contained information including the names, dates of birth, diagnoses, and treatment codes of patients involved in research studies between 1998 and 2009.
LSU officials stated the drive did not contain any patient Social Security numbers, credit card information, bank account data, or other financial information.
The LSU Healthcare Network has notified potentially impacted patients of the incident to avoid further issues.
Presently, the network has no evidence any data has been accessed or misused in any way, but advises concerned patients to take the necessary steps to protect themselves from identity theft.
Officials stated certain security policies in place, including the use of encrypted mobile devices, were not properly followed in this incident, and that necessary disciplinary action will follow.
The network will be updating its security policies and incorporating the updated policies into its training programs in an effort to avoid similar incidents in the future.
NSU hard drive theft potentially impacts over 1K patients
Nova Southestern University (NSU) suffered a data breach on February 28, 2017 in which two unencrypted portable hard drives were stolen from an employee.
According to the OCR data breach reporting tool, 1,086 individuals may have had their information exposed.
The stolen hard drives contained the lab results of from the university’s Institute for Neuro-Immune Medicine, the school said in its statement. Information contained on the hard drives included patient names, provider names, and lab results.
NSU officials maintain the drives did not contain any patient Social Security numbers or financial information.
Upon learning of the incident, NSU immediately launched an investigation with the help of law enforcement to recover the stolen hard drives.
Despite these efforts, law enforcement have yet to locate the missing hard drives.
The university began notifying potentially impacted patients of the incident on May 1, 2017 and has established a call center to answer any questions concerned patients may have regarding their information.
Over 2M patient health records potentially exposed by website glitch
A Las Vegas IT Consultant recently informed computer security reporter Brian Krebs of a glitch on the True Health Diagnostics website. The glitch reportedly exposed the detailed electronic health records and blood tests of all its patients through a slight single digit modification in the link of PDF attachments.
The PDF attachments contained large amounts of sensitive PHI including indicators of genetic abnormalities as well as potential current and future diseases.
Krebs explained on his blog that he immediately notified True Health Diagnostics of the problem. In response, the organization immediately disabled the flawed patient EHR data portal before fixing the problem over the weekend and rebooting the portal.
“Upon discovering the potential for registered users of our patient portal to access data for individuals other than themselves, we immediately shut down the system in order to resolve any vulnerabilities,” the company stated in an email to Krebs. “True Health has total confidence that all patient records are fully secure at this time. We regret this situation and any harm it may have caused.”
True Health also launched an investigation into the incident to determine if any patient health records had been improperly accessed.
“It will be thorough, speedy and transparent,” the company stated in the email. “Nothing is more important to us than the trust that doctors and patients put in our company.”
True Health’s investigation into the incident is ongoing.
While officials are uncertain of how many individuals may have been impacted by the incident, the IT Consultant who initially discovered the problem stated in an email to Krebs he guessed that at least two million records were exposed.