- Carl Albert State College (CASC) is re-notifying certain individuals of unauthorized server access from 2016 that may create data security concerns.
CASC explained in an online statement that the server was accessed on April 7, 2016. It contained data on current and former Oklahoma Department of Human Services (DHS) Temporary Assistance for Needy Families (TANF) clients. The information included names, addresses, dates of birth and Social Security numbers.
“There is no evidence that any data was downloaded from the Carl Albert State College computer server,” the organization stated. “CASC took immediate steps to secure the data and both DHS and CASC continued monitoring efforts after the breach to ensure this type of incident does not occur again.”
While the statement did not specify that medical or health information was involved, CASC explained that DHS has responsibilities under HIPAA and HHS. These responsibilities “requested DHS send a second notice which was mailed Nov. 30, 2017.”
OCR states that 47,000 individuals were potentially impacted by the incident.
UNC Dermatology notifies 24K following computer theft
The UNC Faculty Physicians practice UNC Dermatology recently reported that a break-in occurred at the UNC Dermatology & Skin Cancer Center on October 8, 2017.
A computer containing information on patients of the former “Burlington Dermatology Center” or “Burlington Dermatology” was stolen in the incident. There are approximately 24,000 individuals who will receive notifications, the statement read.
“UNC Health Care acquired the practice assets of Burlington Dermatology in 2015,” UNC said. “As part of this transaction, a computer containing patient information of patients seen at Burlington Dermatology remained onsite at the practice. This was the computer which was stolen, and UNC Health Care has reason to believe that the stolen computer contained information about patients seen at Burlington Dermatology through September 2015.”
Patient names, addresses, phone numbers, employment status, employer names, dates of birth and Social Security numbers were on the password-protected database. However, treatment, diagnosis or prescription records were not likely kept on the computer other than diagnosis codes used for billing purposes.
“We have ensured that all remaining computers acquired from, or kept for use by Burlington Dermatology have been properly secured,” UNC Health Care Chief Privacy Officer David Behinfar said in a statement. “UNC Health Care has also implemented process improvements to ensure that future acquisitions of physician practices include a process to properly secure legacy computers and electronic patient information.”
Ransomware incident impacts Hackensack Sleep and Pulmonary Center
Hackensack Sleep and Pulmonary Center LLC announced that it was the victim of a ransomware attack on September 24, 2017. The organization said it discovered the incident on September 25.
“The virus encrypted (locked) our electronic medical record files and the attacker demanded a ransom to “unlock” the files,” the organization said. “We did not pay the ransom. We used an unaffected off-line backup copy to restore our medical record files, and we are confident they are intact.”
There is no indication that the data was viewed or removed, and Hackensack Sleep stated these incidents are usually meant to extort money from organizations.
Potentially impacted information includes medical records (diagnosis, office notes, procedures, reports), personal identifiers (name, date of birth, address, Social Security numbers, credit card numbers and account information) and insurance information.
“Upon our discovery of this event, we immediately notified the New Jersey State Police Cyber Crimes Unit and hired a computer forensics expert to help protect our patients, assist in our investigation, and make recommendations to prevent future incidents,” the organization maintained. “We are implementing security measures to enhance the security of our systems.”
The OCR data breach reporting tool states that 16,474 individuals were potentially affected.
Phishing incident affects Sinai Health System
Sinai Health System (SHS) experienced a phishing attack on October 2, 2017, according to an online SHS statement.
Two SHS employees had their credentials taken due to a phishing email, and approximately 11,350 individuals may have been affected, the organization said.
SHS did not specify what patient information may have been involved, but stressed that it believes “that the risk of exposure of patient health information is low.”
“The SHS Information Technology (IT) team deleted all copies of the phishing email to prevent further exposure, provided all system users with a warning about the phishing email involved in this incident and changed the passwords of all SHS system users,” the statement read. “The IT team also implemented a new warning, posted at the top of every email that originates from outside the SHS system, advising users not to click on any link or attachment unless the user recognizes the sender and knows the content is safe.”
Boxes missing from storage facility creates data security incident
Franciscan Physician Network of Illinois (FPN Illinois) and Specialty Physicians of Illinois, LLC (formerly known as Wellgroup Health Partners, LLC, “SPI”) recently announced that boxes containing patient information could not be found in a storage facility on November 21, 2017.
The boxes with 22,000 patient payment records could not be located and contained records from 2010 and 2015 to 17.
The information was found to be missing following a routine records request, the organizations explained. A further inventory audit revealed that 40 boxes could not be located.
Patient names, addresses, payment dates, payment amounts, payment method, office location and the last four digits of patient credit card numbers were in the boxes. For a small number of patients who paid with a check, the records may contain the patient's routing number, bank account number and Social Security number.
“We are conducting a thorough investigation to identify additional measures we can take to prevent similar incidents in the future,” SPI Executive Director Craig Miller said in a statement.
Franciscan Physician Network Vice President Claude Foreit added that steps have been taken to improve payment records safeguards. This includes “bolstering physical security, updating the tracking system for paper records, and retraining employees responsible for handling these records."
Individuals who have been affected will be offered two years of complementary identity theft protection services.
The statement did not say how many individuals had their information involved.