- A Pennsylvania-based healthcare network is facing a possible healthcare data breach after one of its databases was left unsecured on its website, according to a recent press release.
Einstein Healthcare Network stated that approximately 3,000 individuals were affected.
On February 2, the healthcare system discovered that one of its website databases was accessible to unauthorized users. The database contained patient information that was entered by individuals on the “Request for Information” form on the healthcare network’s webpage.
The website was not connected to EHR systems, reported Einstein Healthcare Network.
Potentially disclosed information included patient names, telephone numbers, reasons for submitting requests, healthcare provider names, and health information.
The healthcare system confirmed that the database did not contain Social Security numbers, financial information, or EHR information.
Only individuals who entered information on the webpage’s form before February 2016 were possibly affected.
Upon discovery, Einstein Healthcare Network secured the website database and removed it from public view. The healthcare system also launched an internal investigation.
In response, notification letters were mailed to all potentially affected individuals and a call center was created to answer questions about the security event.
Einstein Healthcare Network stated that it is committed to improving security measures on its website to prevent possible future healthcare data breaches.
Possible healthcare data breach at FL Department of Health
The Florida Department of Health in Palm Beach County recently reported a possible healthcare data breach that affected more than 1,000 individuals.
The potential breach was discovered when Federal law enforcement officials acquired a list containing the health information of past and current patients at local clinics affiliated with the healthcare system.
Information on the list included names, dates of birth, Social Security numbers, Medicaid numbers, phone numbers, and medical record numbers.
The Florida Department of Health has not released information on how the possible healthcare data breach occurred.
To resolve the security incident, the department mailed notification letters to all potentially affected individuals and encouraged patients to monitor their credit reports.
“The Department of Health takes its role of safeguarding client’s personal information very seriously and is keenly aware of how important this information is to everyone and is fully committed to safeguarding all confidential information,” stated the press release. “The department trains staff on the importance of safeguarding protected health information by requiring annual HIPAA and Privacy and Information Security training to all employees.”
Stolen laptop in MN leads to potential PHI disclosure
OptumRx, the pharmacy care branch of a health services and technology company in Minnesota, recently announced that PHI may have been disclosed following a laptop theft.
On March 16, an unencrypted laptop was reportedly stolen from an employee’s vehicle in Indianapolis, Indiana. The laptop belonged to an unnamed vendor of OptumRx that provides home delivery services to patients.
After an investigation with the vendor, OptumRx stated that a file on the stolen laptop may have contained names, addresses, health plan names, prescription drug information, and prescribing provider information. For some individuals, dates of birth may have been exposed.
OptumRx confirmed that Social Security numbers, credit cards, and other financial information was not involved.
Neither the company nor the Office of Civil Rights data breach portal stated how many individuals may have been affected by the security incident.
In response, OptumRx contacted local authorities and launched an outside investigation. The company also mailed notification letters to potentially affected individuals and offered one free year of identity theft protection services.
“In addition, we have worked with the vendor to put immediate and additional protections in place to prevent the occurrence of similar incidents in the future,” explained OptumRx’s notification letter. “These measures include additional security requirements on laptops they use for OptumRx work, training and reinforcement of existing policies and practices, and further evaluation of additional safeguards.”
Unauthorized access to patient information affects 532 individuals
Sacred Heart Health System in Florida has notified 532 patients about a potential PHI disclosure after a vendor was inadvertently granted access to patient data.
The possible healthcare data breach occurred at the American College of Cardiology. Sacred Heart contributes data on cardiovascular patients and procedures to a national registry at the non-profit medical society.
American College of Cardiology was working with a software developer to redesign its registry when it accidently included a table of patient data for testing purposes.
The table contained names, dates of birth, Social Security numbers, and internal patient identification numbers.
Sacred Heart was notified on February 16 that some of its patient data may have been accessed by an American College of Cardiology software developer.
“When ACC discovered this issue, it immediately terminated the vendor's access to the patient data,” explained Sacred Heart’s statement. “The ACC also obtained a written attestation from its vendor that the patient data has been destroyed and that the vendor did not retain copies. The software developer has also attested that its staff used the data only for purposes of their work for ACC.”
Sacred Heart contacted affected individuals and urged them to review their credit reports for potential misuse of their personal information.
Last year, Sacred Heart experienced another possible healthcare data breach with one of its vendors.
The healthcare system notified approximately 14,000 individuals after its medical billing vendor experienced an email hacking attack.