- The Southeast Eye Institute, PA, or Eye Associates of Pinellas, has recently reported a possible healthcare data breach after an unauthorized party accessed patient files that were formerly managed by a third-party vendor.
Approximately 87,314 individuals were affected by the hacking incident, according to the Office of Civil Rights (OCR) data breach portal.
Southeast Eye Institute discovered the healthcare data security event when Bizmatics Inc, an off-site vendor that ran its practice management software, notified the practice on March 30. Bizmatics Inc told the practice that hackers may have gained access to some of its patient files starting in January 2015.
Patient information that may have been exposed included names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information. The practice reported that medical and financial information was not involved in the event.
Bizmatics Inc stated that patient information was divided into several different files in order to increase healthcare data security measures. For example, the vendor kept names and addresses in separate files. It could not affirm if the intruders were able to combine the data.
The vendor also could not confirm what patient files may have been exposed by the hacking incident. However, Southeast East Institute noted that patients that had attended an appointment on or before November 16, 2015 may have been affected.
Although Southeast Eye Institute no longer works with Bizmatics Inc, the statement explained that the vendor contacted the FBI and hired a cybersecurity firm to improve its data security measures, including strengthening firewalls and network configurations.
Southeast Eye Institute has notified affected individuals and offered complimentary credit monitoring services for a year.
In addition to this possible healthcare data breach, Bizmatics Inc has also recently notified several other clients of data security incidents involving unauthorized access of patient files.
Last month, the Pain Treatment Centers of America reported that 19,387 patients were notified of a possible PHI breach after Bizmatics Inc discovered that hackers had gained access to its servers in 2015.
Similarly, Complete Family Foot Care in Nebraska notified 5,883 individuals of a potential healthcare data breach in March because an outside party may have viewed some of its EHR data that was stored and managed by Bizmatics Inc.
Unauthorized access results in possible IN healthcare data breach
Indiana-based Lafayette Pain Care PC has notified some patients that their EHR data may have been accessed by an outside entity.
The OCR data breach portal reported that 7,500 individuals were affected by the possible PHI breach.
According to the “For Our Patients” section of its website, Lafayette Pain Care’s EHR management vendor experienced a hacking incident that could have resulted in some patient files being exposed to intruders. The potential healthcare data breach affected multiple EHR systems across the country, confirmed the statement.
“All this said, our electronic medical records provider has informed us that it is not aware of any evidence that our patient records were in fact accessed or acquired by any unauthorized persons,” reported the website.
Due to the nature of the information, Lafayette Pain Care has notified affected individuals. It recommended that patients monitor their credit accounts and Explanation of Benefits insurance forms and report any suspicious or inappropriate activity.
The healthcare organization has also offered free credit monitoring services to affected and verified patients.
FL medical center notifies patients of unintended EHR data exposure
Approximately 1,000 individuals were affected by unauthorized disclosure of EHR data at Florida Medical Center, reported the OCR’s data breach portal.
In an official statement on its website, Florida Medical Center disclosed that patient due balance statements were unintentionally accessible to industrial account patients from November 18, 2015 to January 6, 2016. The information was posted on the Patient Portal.
Patients with industrial accounts work with a third-party that is responsible for financing the healthcare costs for services received at the medical center. Other patients on the same industrial account could have viewed another individual’s due balance statements, according to the statement.
Patient information on the statement included names, dates of services provided, providers, summaries of procedures received, charges due, and mailing address. Florida Medical Center explained that Social Security numbers, dates of birth, credit card numbers, and bank information was not exposed in the potential healthcare data breach.
After an investigation, the medical center found that its patient portal vendor, Greenway Health, had accidently changed a setting that caused some EHR data to be accessible via the program.
Florida Medical Center collaborated with the vendor to turn off the setting and developed additional measures to prevent future incidents.
Additionally, the medical centered notified all affected patients and advised them to monitor financial and credit accounts.
Emailing error causes data security incident in OR
An Oregon-based specialty clinic has announced that patient email addresses were inadvertently exposed following an emailing error.
In the notification letter, Berkeley Endocrine Clinic explained that a spam email may have been sent to patients on April 22. The clinic attempted to notify patients of the spam via email. However, the recipient email addresses were not hidden on the notification blast, which may have disclosed patient contact information.
Besides names and email addresses, no other patient data, such as medical information, was included in the emailing error, confirmed Berkeley Endocrine Clinic.
Upon discovering the data security incident, the clinic has reviewed its administrative policies and added some internal measures regarding correspondences.
Berkeley Endocrine Clinic has also notified affected individuals and advised that impacted patients change their email address.
Neither the clinic nor OCR’s data breach portal have yet to disclose how many individuals were involved in the incident.