Healthcare Information Security

Latest Health Data Breaches News

Unauthorized HIE Access Leads to MA Data Security Incident

Recent cases of healthcare data security incidents include unauthorized HIE access, a printing error, an email error, and unauthorized server access.

By Elizabeth Snell

Massachusetts-based Codman Square Health Center is notifying patients that some of their information may have been exposed after a data security incident stemming from unauthorized HIE access.

Recent healthcare data security incidents include unauthorized access

Codman was notified on July 13, 2016 that an employee had accessed the New England Healthcare Exchange Network (NEHEN) without authorization and against Codman policies. According to the OCR data breach reporting tool, 3,840 individuals were affected by the incident.

Along with certain Codman patients, the online statement added that some access information may have included that of non-Codman patients.

Data on the NEHEN network contained names, addresses, dates of birth, gender, medical services payer information, and medical insurance coverage information. Social Security numbers may have been included in some cases as well, but Codman added that there is no indication that the information was misused.

Affected Codman patients will receive notification via mail, and if individuals do not receive a letter, then they were not affected by the data security incident.

READ MORE: Considering Healthcare Data Privacy with Health Data Sharing

“Those Codman patients who do not receive a letter have not been affected,” Codman explained. “For affected individuals who are not Codman patients, those directly affected will be notified by mail if contact information is provided. The health center has suspended or terminated all employees involved in the incident.  Codman Square has also retrained all employees.”

Oklahoma health system reports possible ransomware attack affecting 6K

Oklahoma-based Saint Francis Health System had a server accessed by an unauthorized party and patient information being obtained, according to a News on 6 report.

Saint Francis received an email on September 7, 2016 that the incident took place, and spokesperson Sevan Roberts added that there was an anonymous demand for payment for the information to be recovered.

“Saint Francis decided not to act on the demand because payment does not guarantee or prevent data from being disclosed,” said a Saint Francis statement. “The health system understands the importance of protecting our patients' information, and deeply regrets that this occurred.”

READ MORE: How HIE Security Concerns Impact Patient Data Withholding

Roberts told the news source that the information on the server appeared to include approximately 6,000 names and addresses. However, Social Security numbers, driver's license and financial information were not included.

The server has been disabled and the health system said it is working with local law enforcement.

“Saint Francis has also been working with a leading forensics firm to investigate this incident and look for ways to enhance our existing security measures,” the statement read. “Notification letters are being mailed to those individuals who may have been affected and complimentary participation in identity monitoring service is provided.”

Health system notifies 1K members of printing error

A California health system is notifying 1,000 members of an internal printing error that may have exposed a limited amount of patient information.

READ MORE: Health Data Privacy Concerns Key Influence in PHI Data Sharing

CalOptima explained in an online statement that the printing error took place on October 7, 2015, and involved “CalOptima MediCal members with diabetes receiving a health incentive survey that may have included an extra survey meant for another member.”

The health system learned about the incident on October 8, 2015 and said that it immediately stopped all printing. The surveys that had already been processed for mailing were unable to be retrieved.

OCR lists 1,000 individuals as having been affected, while the CalOptima statement says 100 members were affected.

The survey information included the member’s first and last name, Client Identification Number (CIN) and, in some cases, information about the member’s diabetes diagnosis. Data such as Social Security numbers, driver’s license numbers or financial account numbers were not included.

“Your privacy is very important to us, and we apologize for this mistake,” CalOptima stated. “We have reviewed and changed our procedures and practices to minimize the risk of this event happening again. Extra training was provided to the business unit where the error occurred.”

KY facility email error affects 674 individuals

St. Elizabeth Physicians announced in an August 23, 2016 statement that it “inadvertently released the email addresses of 674 individuals in an email sent by its Weight Management Center inviting the recipients to a vitamin presentation and open forum meeting.”

The incident happened when the email sender did not blind copy the recipients, which allowed all email addresses to be visible by all recipients.

St. Elizabeth explained that the only information disclosed was email addresses, and that Social Security numbers, phone numbers, addresses, and any other personal health or identification information were not disclosed.

Even so, the facility said that it is offering affected individuals one year of complimentary identity theft monitoring.

“St. Elizabeth Physicians has promptly and thoroughly investigated the matter and has reviewed its procedures,” the statement read. “Corrective action has been pursued to avoid this from happening in the future.”  


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks