More Than 70,000 Adventist Health Tulare Patients Affected by Business Associate Breach
A business associate of Adventist Health Tulare has identified unauthorized access to the information of 70,000 patients, and Columbia University Irving Medical Center has discovered patient data has been exposed on the internet.
Adventist Health
Adventist Health has recently announced that the protected health information of more than 70,000 patients of Adventist Health Tulare in California has been accessed by an unauthorized individual. The security breach occurred at a business associate, Signature Performance, which was used to collect payments for services.
Adventist Health said Signature Performance identified suspicious activity within its network, and the forensic investigation confirmed that patient information had been accessed; however, Adventist Health said the data was not used for illegal activity. It is unclear how that determination was made.
Notification letters are being mailed to the affected individuals by Signature Performance, and the notification letters will state for each individual the types of information involved. A toll-free number has been established for individuals seeking further information. The number – 833-566-7793 – is manned between 5 a.m. and 5 p.m. PST, Monday through Friday.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There is currently no substitute breach notice on the website of the California Attorney General from either Adventist Health or Signature Performance, but there is a substitute notice on the website of the Maine Attorney General. That breach notice was added on February 9, 2024, and relates to unauthorized access between January 17 and January 18, 2024, that was detected on January 18. The notice states that 7,122 individuals were affected and credit monitoring services are being offered. It is currently unclear if this is the same incident and more people are now known to have been affected or if this is a separate incident.
Update: June 14, 2024: The HIPAA breach has been reported to the HHS’ Office for Civil Rights by Signature Performance as affecting 106,540 individuals. Adventist Health Tulare chose to notify OCR separately for its 70,802 affected patients.
Columbia University Irving Medical Center
A data breach that escaped our attention until recently was reported to the HHS’ Office for Civil Rights on May 6, 2024, by Columbia University Irving Medical Center (CUIMC) as affecting 29,629 individuals.
NewYork-Presbyterian (NYP) and CUIMC were notified about the exposure of patient data on an Internet-accessible platform. The file was immediately removed from the platform and the investigation confirmed that a NYP/CUIMC employee inadvertently uploaded the file in August 2023 while performing quality-related data review activities.
The file contained patient lab data, including first name, last name, medical record number, date of birth, provider name, and a single laboratory test result. NYP/CUIMC said the lab result would not reveal diagnostic information about patients. The forensic investigation uncovered evidence on March 8, 2024, indicating the file had been accessed by unknown and unauthorized third parties between September 11, 2023, and March 7, 2024.
The nature of the exposed data does not put the affected individuals at risk of identity theft; however, NYP/CUIMC recommends that the affected patients monitor their statements from their health plans for irregularities. The affected individuals have already been notified and NYP/CUIMC is evaluating further security enhancements and will continue to educate the workforce regarding the correct handling of patient data.
