Accidental Disclosures of PHI at LA Fire Department and Standard Modern Company
The Los Angeles Fire Department has discovered the COVID-19 vaccination statuses of 4,900 employees has been accidentally exposed online.
A list that included the full names of employees, dates of birth, employee numbers, and COVID-19 vaccination information (vaccination dates, doses, or declined vaccine) had been published on a website accessible to the public. During the time that the website was active, it was possible to visit the site and conduct searches of the database for names and employee numbers. The database was not password protected and no information had to be entered to authenticate users. If a wildcard search was conducted, a table was generated that listed the data of all 4,900 employees.
The website – covid.lacofdems.com – had been privately registered and was linked to the Fire Department’s Emergency Medical Service’s bureau. The website, which had not been authorized, was created on April 29, 2021 and was deactivated on July 15, 2021. The website had reportedly been created to allow Department employees to retrieve lost vaccination information.
Prior to the deactivation, a reporter at the LA Times downloaded the data from the database. An investigation into the owner of the site showed it was hosted by a department employee and had not been secured using government software or infrastructure.
After learning about the breach and exposure of vaccine status information, several firefighters took to social media to complain about the privacy violation. The firefighter’s union, Local 1014, has called for a full investigation to be conducted into the breach.
Error at Mailing Vendor Sees Letters Sent to Incorrect MassHealth Members
New Bedford, MA-based Standard Modern Company, Inc. has notified 2,707 patients about an accidental disclosure of some of their personal information.
Standard Modern Company provides mailing services to the Massachusetts Executive Office of Health and Human Services. On May 24, 2021, Standard Modern Company was notified that certain MassHealth members had received letters that contained the information of other MassHealth members. All mailings were ceased while the incident was investigated, with the investigation confirming an internal program error had occurred that affected mailings between May 10, 2021 and May 18, 2021. The error caused incorrect labels to be generated on a limited number of mailed notices.
In each case, a letter containing a member name, identification number, last four digits of their Social Security Number, and their data of birth was sent to a different MassHealth member.
Standard Modern Company has stopped using the internal program that caused the error, and additional safeguards have now been implemented to strengthen its mailing procedures and prevent further errors.
Each of the 2,707 affected individuals only had limited information disclosed to one other member, and there have been no reported cases of misuse of any of the disclosed information. A phone line has been established for affected individuals to find out more about the breach and have their questions answered, and complimentary access to Triple Bureau Credit Monitoring and cyber monitoring services have been offered at no charge for 24 months.
Standard Modern Company was assisted by the Buffalo, NY-based privacy and security law firm Beckage PLLC when investigating and responding to the breach.