HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider

Massachusetts-based Sports Medicine & Rehabilitation Therapy (SMART) has alerted 7,000 patients to a breach of their protected health information. Potentially, the breach impacted all patients whose information was recorded during a visit to a SMART center prior to December 31, 2016.

The breach, which occurred in September 2017, was an extortion attempt. Hackers gained access to SMART systems, allegedly stole data, and demanded a ransom payment to prevent the information from being released online.

No indication was provided in the breach notification letters to suggest the ransom was paid, although SMART has informed its patients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.”

The matter has been investigated by the FBI and Homeland Security although the details of the investigations have not been released. An attempt was made by SMART to obtain a copy of the police report through the Freedom of Information Act, although at the time the notifications were sent, no copy had been received.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The information potentially stolen by the hackers did not include financial data or Social Security numbers, but insurance numbers and diagnostic codes were included in the stolen data set.

North Carolina DHHS Notifies 6,000 Patients of an Accidental Disclosure of PHI

The North Carolina Department of Health and Human Services has discovered a spreadsheet containing the protected health information of approximately 6,000 individuals was accidentally sent to a vendor in an unencrypted email. The breach was discovered on September 27, 2017.

The vendor in question was contacted and instructed to securely delete the spreadsheet attached to the email. NC DHHS has confirmed that the spreadsheet has been securely deleted, although affected individuals have been informed that potentially, the email could have been intercepted in transit by unauthorized individuals. The risk of interception of the email or the misuse of any information in the spreadsheet is believed to be low.

The spreadsheet contained information such as names, test results, and Social Security numbers of individuals who had undergone routine drug screening tests. The tests were conducted on individuals who had applied to NC DHHS for employment or intern and volunteer opportunities.

NC DHHS is conducting a review of policies and procedures to ensure similar incidents are prevented in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.