Dedicated to providing the latest
HIPAA compliance news

7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider

Share this article on:

Massachusetts-based Sports Medicine & Rehabilitation Therapy (SMART) has alerted 7,000 patients to a breach of their protected health information. Potentially, the breach impacted all patients whose information was recorded during a visit to a SMART center prior to December 31, 2016.

The breach, which occurred in September 2017, was an extortion attempt. Hackers gained access to SMART systems, allegedly stole data, and demanded a ransom payment to prevent the information from being released online.

No indication was provided in the breach notification letters to suggest the ransom was paid, although SMART has informed its patients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.”

The matter has been investigated by the FBI and Homeland Security although the details of the investigations have not been released. An attempt was made by SMART to obtain a copy of the police report through the Freedom of Information Act, although at the time the notifications were sent, no copy had been received.

The information potentially stolen by the hackers did not include financial data or Social Security numbers, but insurance numbers and diagnostic codes were included in the stolen data set.

North Carolina DHHS Notifies 6,000 Patients of an Accidental Disclosure of PHI

The North Carolina Department of Health and Human Services has discovered a spreadsheet containing the protected health information of approximately 6,000 individuals was accidentally sent to a vendor in an unencrypted email. The breach was discovered on September 27, 2017.

The vendor in question was contacted and instructed to securely delete the spreadsheet attached to the email. NC DHHS has confirmed that the spreadsheet has been securely deleted, although affected individuals have been informed that potentially, the email could have been intercepted in transit by unauthorized individuals. The risk of interception of the email or the misuse of any information in the spreadsheet is believed to be low.

The spreadsheet contained information such as names, test results, and Social Security numbers of individuals who had undergone routine drug screening tests. The tests were conducted on individuals who had applied to NC DHHS for employment or intern and volunteer opportunities.

NC DHHS is conducting a review of policies and procedures to ensure similar incidents are prevented in the future.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On