- Kansas-based Valley Hope Association recently began notifying patients that their data was potentially breached during an email hack. VHA is a drug and alcohol addiction treatment organization with 16 facilities in seven states.
Officials discovered suspicious activity on an employee email account in October 2018. With help of an outside forensics team, VHA launched an investigation to determine the scope of the event and found a hacker had access to the account on October 9 and 10.
Further, officials determined the cybercriminal had access to the emails and attachments that were stored in the account.
The compromised information varied by patient, but could include “one or more data points,” such as names, Social Security numbers, financial account information, driver’s licenses or state identification card numbers, patient claim or billing information, dates of birth, health insurance details, medical record numbers, medications and prescriptions, and doctor’s names.
All patients will receive a detailed notification that outlines the exact information compromised by the hack. But officials stressed that no treatment or diagnostic information was breached. Patients will receive a year of free credit monitoring and identity protection services.
VHA has since added additional security and officials said they are reviewing policies and procedures to bolster their security program. The investigation concluded on November 23, 2018, which may explain the delayed breach notification. Under HIPAA, organizations must report breaches within 60 days of discovery.
Email Error Causes Lebanon VA Medical Center Breach
An employee email error breached the data of 1,002 Lebanon VA Medical Center patients, according to the Pennsylvania-based provider.
In November 2018, an employee accidentally sent a document containing a historical list of nursing home residents to a family member of a veteran searching for a nursing home. The document should have contained nursing home facilities covered by the Department of Veterans Affairs.
The list included veterans names, Social Security numbers, diagnoses, disability rating percentages, and the nursing home where they reside.
Calling it an isolated mistake, officials said they’ve taken steps to reduce the risk of a repeat incident, such as additional controls. Further, encryption has been added to emails with historic information, restrictions on who has access, and now members are prevented from externally sending email attachments.
45,000 Records Breached by Mississauga Disability Support Program
The Mississauga Disability Support Program in Ontario inadvertently sent the data of 45,000 patients to 100 people on December 20, according to local news outlet The Star.
The email was sent to notify recipients of changes to the program’s “MyBenefits portal,” which came with an attachment – a spreadsheet with a list of program participants. That attachment was not meant to be sent. According to officials, no home addresses or financial data were disclosed.
Officials were able to contact 75 of the 100 people who mistakenly received the file. They were asked to delete the email and confirm. The department is reviewing its internal processes to prevent the mistake from occurring again.
Calling it a clerical error, Ontario’s Social Services Minister Lisa McLeod apologized for the incident: “As soon as I was notified of this privacy breach, I took steps to ensure those impacted and the privacy commissioner were notified, and that processes and procedures were reviewed so that mistakes like this don’t happen again.”
Hard Drive Theft Impacts 76,000 All-Star Orthopaedics Patients
An unencrypted hard drive containing the x-rays and other diagnostic images of 76,000 All-Star Orthopaedics patients was stolen on November 20, 2018.
However, officials said that while the data was not encrypted, “special software is needed to access the information.” If the criminals were able to open the drive, the image files also contain patient names and birthdates. No other information is stored on the drive.
According to officials, All-Star will now encrypt hard drives prior to transport. Law enforcement has been notified of the incident.