Share this article on:
Total Health Care Inc., a Detroit, MI-based health plan, has discovered unauthorized individuals have gained access to several employee email accounts that contained sensitive personal information of health plan members and physician partners.
Upon discovery of the breach, the email accounts were immediately secured to prevent further unauthorized access and security experts were engaged to conduct a forensic investigation to determine the nature and scope of the breach. The investigation confirmed that the breach was limited to email accounts, which were accessed by unauthorized individuals between December 16, 2020 and February 5, 2021.
No evidence was found to suggest any protected health information was viewed or misused, but unauthorized access could not be ruled out. A review of the emails in the accounts revealed they contained names, addresses, dates of birth, member IDs, claims information, and Social Security numbers.
Due to the sensitive nature of data in the accounts, affected individuals have been offered free credit monitoring services for up to two years through CyberScout. Steps have since been taken to improve email security, including reviewing and updating policies and procedures and providing additional security awareness training to the workforce.
The breach has been reported to the HHS’ Office for Civil Rights as affecting 221,454 individuals.
Harrington Physician Services Reports Potential Breach of a Patient Mailing List
Southbridge, MA-based Harrington Physician Services is notifying 4,393 patients about a potential breach of some of their protected health information. It was recently discovered that a mailing list had been uploaded to a location within its information system that was not supposed to house patient data. As a result, it is possible that individuals outside of Harrington Physician Services may have been able to access the mailing list. The mailing list contained names, ages, addresses, dates of birth, primary care physician names and last office visit date only.
An investigation did not uncover any evidence to suggest the mailing list had been accessed, but it was not possible to rule out a breach. The mailing list was only exposed for a short period of time and, in order to access the list, an individual would require access to the network where the mailing list was stored. The risk to patients is therefore believed to be minimal; however, as a precaution, affected patients have been notified and provided with information about credit protection and monitoring services.
The OCR breach portal shows 4,393 individuals were affected.