30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident.

Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach.

The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments.

Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account.

Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were compromised. The investigation is ongoing, and the hospital anticipates notifying additional patients in the coming weeks.

5,524 AZ Plastic Surgery Center Patients Notified of Data Breach

AZ Plastic Surgery Center in Tucson, AZ, is notifying 5,524 patients that some of their PHI may have been accessed by hackers who succeeded in gaining access to its computer system. The breach was discovered on December 10, 2018.

The incident has been reported to both the FBI and local law enforcement and the investigation into the breach is continuing.

AZ Plastic Surgery Center engaged third-party computer experts to determine the nature and scope of the breach. While data access was not confirmed, the possibility could not be ruled out with a high degree of certainty. No reports have been received to suggest any PHI has been misused.

The types of information that were potentially accessed included names, dates of birth, addresses, diagnoses, prescription information, health insurance numbers, and procedure notes. A limited number of Social Security numbers and driver’s license numbers may also have been accessed. The attack is thought to be the one referred to by TheDarkOverlord in a December, as reported by databreaches.net.

Notification letters were mailed to affected patients on February 8, 2019.

Rush University Medical Center Mailing Error Impacts 908 Patients

Rush University Medical Center in Chicago, IL, has notified 908 patients about a mailing error that resulted in the disclosure of their name to another patient.

Patients were sent notification letters about the retirement of a certified nurse practitioner at the Epilepsy Center.

The medical center learned that some of the letters may have included the name of a different patient. As a result, the letters would have disclosed a patient’s name to one other patient, also revealing that person was a patient of the Epilepsy Center.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.