16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA, has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information.

IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018.

A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data.

The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of Redwood Eye Center patients, but notification letters were sent out of an abundance of caution on December 6, 2018.

The breach notification letter sent to the California attorney general indicates 16,055 California residents have had their protected health information exposed.

Email Privacy Breach Reported by Butler County

Butler County, OH, is notifying approximately 1,350 employees that some of their protected health information has been exposed as a result of an email error. The county’s wellness coordinator sent an email in September about health insurance which included a spreadsheet that contained the wellness information of employees.

The spreadsheet had hidden columns which contained information such as names, insurance ID numbers, and information about the employees’ participation in the county wellness program. Highly sensitive information such as Social Security numbers and passwords were not exposed. Affected individuals have been advised to take steps to prevent the fraudulent use of their insurance information.

Butler County sought legal advice about the breach and was advised to report the incident to the Department of Health and Services which is investigating.

Coding Error Resulted in Disclosure of Thielen Student Health Center Patient Data

599 patients of Thielen Student Health Center in Ames, IA, are being notified that some of their protected health information has been impermissibly disclosed to other patients.

Thielen Student Health Center uses software to send satisfaction surveys to patients. In a recent survey run, a coding error occurred when patient information was put into the system. As a result of the error, names of patients, appointment dates, and providers’ names were incorrectly added to the surveys. Individuals affected had the above information disclosed to one other patient.

The error was rapidly identified and the health center was able to recall many of the surveys before they were seen. All affected individuals have now been notified and changes have now been made to remove personally identifiable information from future surveys.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.