HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

221,000 Total Health Care Members Impacted by Email Account Breach

Total Health Care Inc., a Detroit, MI-based health plan, has discovered unauthorized individuals have gained access to several employee email accounts that contained sensitive personal information of health plan members and physician partners.

Upon discovery of the breach, the email accounts were immediately secured to prevent further unauthorized access and security experts were engaged to conduct a forensic investigation to determine the nature and scope of the breach. The investigation confirmed that the breach was limited to email accounts, which were accessed by unauthorized individuals between December 16, 2020 and February 5, 2021.

No evidence was found to suggest any protected health information was viewed or misused, but unauthorized access could not be ruled out. A review of the emails in the accounts revealed they contained names, addresses, dates of birth, member IDs, claims information, and Social Security numbers.

Due to the sensitive nature of data in the accounts, affected individuals have been offered free credit monitoring services for up to two years through CyberScout. Steps have since been taken to improve email security, including reviewing and updating policies and procedures and providing additional security awareness training to the workforce.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 221,454 individuals.

Harrington Physician Services Reports Potential Breach of a Patient Mailing List

Southbridge, MA-based Harrington Physician Services is notifying 4,393 patients about a potential breach of some of their protected health information. It was recently discovered that a mailing list had been uploaded to a location within its information system that was not supposed to house patient data. As a result, it is possible that individuals outside of Harrington Physician Services may have been able to access the mailing list. The mailing list contained names, ages, addresses, dates of birth, primary care physician names and last office visit date only.

An investigation did not uncover any evidence to suggest the mailing list had been accessed, but it was not possible to rule out a breach. The mailing list was only exposed for a short period of time and, in order to access the list, an individual would require access to the network where the mailing list was stored. The risk to patients is therefore believed to be minimal; however, as a precaution, affected patients have been notified and provided with information about credit protection and monitoring services.

The OCR breach portal shows 4,393 individuals were affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.