30K Integrated Regional Laboratories Patients Impacted by AMCA Breach

Integrated Regional Laboratories (IRL) in Florida is notifying approximately 30,000 patients that their protected health information (PHI) was potentially compromised in the American Medical Collection Agency (AMCA) data breach discovered on March 20, 2019.

On June 3, 2019, AMCA notified IRL about its security breach and confirmed on June 13, 2019 that the PHI of IRL patients had been exposed.

IRL posted a breach notice on its website on July 30, and patients are being notified. IRL stopped sending patient information to AMCA when the breach was discovered, and the company is no longer using AMCA’s services. AMCA has been instructed to securely destroy all copies any IRL patients’ PHI.

According to the breach summary on the HHS’ Office for Civil Rights website, 29,644 patients were affected by the breach.

Over the past few days, the breach summaries of several victims of the AMCA breach have been added to the OCR’s breach portal. HIPAA Journal has been tracking breach reports and has identified 22 HIPAA-covered entities that have been affected by the breach.

So far, 24,739,540 records have been confirmed as having been exposed. The breach reports of 9 victims have yet to be added to the OCR breach portal, but based on provisional figures, the final victim count is likely to exceed 26 million.

Mid-Valley Behavioral Care Network Phishing Attack Impacts Almost 11,000 Patients

Salem, OR-based Mid-Valley Behavioral Care Network (BCN) has discovered two email accounts used by employees have been subjected to unauthorized access. The data breach was detected on June 26, 2019 and the investigation revealed the accounts were compromised for a period of around 24 hours.

BCN manages care for members of the Willamette Valley Community health plan. The protected health information of 10,710 members of the WVCH plan was exposed, as well as the personal information of 2,092 Oregon Health Plan providers.

It was not possible to determine whether emails in the account were accessed or if any PHI was stolen. Notification letters were sent to affected members on August 9, 2019. Additional safeguards have now been implemented to prevent any further breaches.

Hacked Server Contained PHI of 1,938 Bayview Dental Patients

Bayview Dental is alerting 1,938 of its patients that their protected health information was stored on a server that was subjected to unauthorized access.

Suspicious activity was detected on the server on May 28, 2019 and forensic experts were called in to investigate a potential breach. On July 4, 2019, Bayview Dental was informed by the forensic investigators that the protected health information of certain patients may have been accessed. It was not possible to determine whether any patient information was viewed or copied by the attacker.

Affected patients had the following information exposed: Name, address, phone number, date of birth, dental insurance information, medical/dental history information and, in certain cases, Social Security number.

Affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Bayview Digital has implemented additional safeguards to prevent further cyberattacks and staff have been provided with additional training on data privacy and security.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.