- Virginia Commonwealth University (VCU) Health System recently discovered a data breach potentially impacted over 2,700 patients, according to an announcement in the Richmond Times-Dispatch.
On January 10, 2017, VCU Health System became aware of a data breach in which patient EHRs were vulnerable to unauthorized access over a three-year period between January 3, 2014 and January 10, 2017.
Following an investigation, VCU Health System concluded employees of community physician groups, and an employee of a contracted vendor, had accessed patient records without proper justification. Officials maintain no information was used inappropriately.
The employees involved in the incident have since been terminated.
Employees may have viewed information including patient names, addresses, dates of birth, medical record numbers, health care providers, visit dates, health insurance information, and Social Security numbers.
VCU Health System said it is providing concerned patients with one year of free credit monitoring to avoid further issues with identity theft and fraud.
Texas health group discovers stolen hard drive containing PHI
On January 11, 2017, Denton Heart Group, a member of HealthTexas Provider Network, discovered an external computer hard drive containing patient information was stolen from its facility around December 29, 2016.
The clinic immediately launched an investigation into the incident and found the information contained on the hard drive may have included patient information such as names, addresses, driver’s license numbers, and Social Security numbers.
Presently, the clinic has no evidence to suggest any information was misused in any way.
“We regret any inconvenience caused by this incident,” the healthcare organization stated in a posted announcement. “Necessary corrective actions have been taken to safeguard against similar incidents in the future, and we are taking steps to re-evaluate the security of computer devices within our clinics to further protect our patient’s information.”
The statement did not list the number of patients affected by the incident.
St. Louis healthcare organization sends unencrypted emails
BJC HealthCare Raising St. Louis recently became aware of a data breach potentially impacting 644 current and former Raising St. Louis participants, according to a recent post on the healthcare organization’s website.
On January 9, 2017, BJC Raising St. Louis became aware of an incident in which sensitive patient information was left potentially vulnerable in a series of unencrypted email exchanges between participating program partners.
Upon discovering the security breach, BJC staff went through its required protocol for emailing data securely to mitigate further issues.
After an investigation, BJC confirmed no unauthorized individuals read or accessed the unencrypted emails at any time. Additionally, the healthcare organization determined no Social Security numbers or financial information were contained within the emails.
In an effort to avoid similar incidents in the future, BJC intends to re-educate staff members on the proper way to send securely encrypted emails and have notified potentially impacted participants of the event.
Tarleton Medical subject to unauthorized PHI access
On January 6, 2017, Tarleton Medical became aware of a data security incident involving the unauthorized access of a data server containing PHI from patient medical records.
Potentially accessed information includes patient names, addresses, dates of birth, Social Security numbers, and healthcare claims information.
The California family medicine practice has not listed how many individuals were potentially impacted during the incident. However, the OCR data breach reporting tool states that 3,929 individuals had their information involved.
“We have taken steps to enhance the security of TM patient information to prevent similar incidents from occurring in the future,” the healthcare organization explained in its notification letter.
Tarleton Medical has since reported the incident to the FBI and is offering concerned patients free access to a credit monitoring service for one year.
Summit Reinsurances Services discovers ransomware attack
On August 8, 2016, Summit Reinsurance Services, Inc. became aware of a ransomware attack on a server containing patient PHI. The organization immediately initiated an investigation into the incident and concluded an unauthorized user accessed the server around March 13, 2016.
The investigation also found the information on the affected server may have included Social Security numbers, health insurance information, provider names, and claim-focused medical records containing diagnoses and clinical information.
Summit did not state how many patients were potentially impacted by the security breach but it asserted there is no evidence any information from the affected server has been misused in any way.
To mitigate any further problems, Summit has informed potentially impacted individuals of the incident and provided information to help concerned patients protect themselves against identity theft and fraud in the future. The organization has also provided individuals with one free year of credit monitoring and identity restoration.
This incident was the catalyst for numerous reported security issues that were reported throughout 2016 at several healthcare organizations. For example, Black Hawk College reported in 2016 that certain information may have been accessed through an infected server containing PHI.
Summit has worked to notify all impacted individuals and healthcare organizations of each incident and provided information for those seeking assistance in finding ways to protect their information moving forward.