HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Texas Tech University Health Sciences Center and Baptist Health Report Data Breaches of Over 1.2 Million Records

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders.

Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found.

Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 23 eye care providers have confirmed they have been affected and the protected health information of more than 2 million patients is known to have been exposed.

Baptist Health Says Information of 1.24 Million Patients Potentially Compromised in Cyberattack

Baptist Health has recently started notifying patients about a cyberattack that was discovered on April 20, 2022, that may have seen malicious code installed on its network. According to the announcement, an unauthorized individual had access to certain Baptist Health systems between March 31 and April 24, 2022.  During that period of access, some data was removed from its systems.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Upon discovery of the breach, user access was suspended, the affected systems were taken offline to prevent further unauthorized access, and cybersecurity protection protocols were implemented. The parts of the system that were accessed included the data of patients of Baptist Medical Center in San Antonio and Resolute Health Hospital in New Braunfels in Texas, and included names, dates of birth, addresses, Social Security numbers, health insurance information, medical record numbers, dates of service, provider and facility names, chief complaint/reason for a visit, visit procedures and diagnosis information, and billing and claims information.

Baptist Health said it is improving its security and monitoring capabilities to reduce the risk of further data breaches. Affected individuals have now been notified and individuals whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring and identity protection services.

Baptist Health has reported the breach to the HHS’ Office for Civil Rights as affecting 1,243,031 individuals, and Resolute Health Hospital has reported the breach as affecting 54,239 individuals.

Santa Barbara County Department of Behavioral Wellness Reports Medical Record Breach

Santa Barbara County Department of Behavioral Wellness in California has recently confirmed that a staff member has accessed the medical records of patients without authorization. The unauthorized access was detected on March 30, 2022, when the department implemented a new security system for detecting unauthorized medical record access, which immediately flagged the HIPAA breach.

The employee’s access to the medical record system was immediately terminated pending an investigation, and that the employee in question was subjected to appropriate disciplinary actions. The records accessed by the employee included names, addresses, email addresses, telephone numbers, Social Security numbers, insurance information, medical record numbers, and medical information. No evidence was found to indicate any patient information had been printed, sent externally, or written down. The department said it will be conducting additional security audits in the future and will be updating client outreach procedures to prevent any recurrences.

Notification letters have now been sent to all affected individuals. The breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many people have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.