Mississippi’s Magnolia Health Fires Employee for PHI Disclosure
Magnolia Health, a health insurance company serving Mississippi’s Medicaid population, has announced it has fired an employee for inappropriately accessing the protected health information (PHI) of “numerous Magnolia Health members” and disclosing those data to a relative. The disclosure of PHI was against company regulations and the now former employee has not received authorization from the company or patients to share their data. The disclosure happened on two occasions: October 28, 2015., and November 8, 2015. The data were emailed from the employee’s work email account to a personal account and email account of a relative. Upon discovery of the privacy breaches the Centene Corporation subsidiary conducted an investigation which resulted in the termination of the employment contract of the employee in question. Written statements were obtained from the employee and the recipient of the PHI stating they had not disclosed the data to any other individuals. Magnolia Health also viewed the personal email accounts of both individuals to confirm that all copies of the data had been...
Spoofed Email Scam Claims Another Healthcare Victim
Just a matter of days after Magnolia Health Corporation, CA., announced one of its employees had fallen for a spoofed email scam and emailed list of employee data outside the company, another healthcare system has made a similar announcement in what appears to be an almost carbon copy data breach. An employee of St. Joseph’s Healthcare System, NJ, received an email request to send a list of employee names, Social Security numbers, and earnings data. A request that is perhaps not unusual in tax season. The email request appeared to have been sent from an internal email address; that of a high ranking company executive. The employee responded by sending a spreadsheet containing the names, social security numbers, and details of 2015/2016 earnings of current employees. However, the email had in fact been sent by a scammer. Over 5,000 employees have had their names and Social Security numbers disclosed. Those employees work at either the St. Joseph’s Regional Medical Center in Paterson, NJ, St. Joseph’s Wayne Hospital in Wayne, NJ, or St. Vincent’s Nursing Home in Cedar Grove, NJ....
OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency
The U.S. Department of Health and Human Services’ Office of Inspector General has published a report of an investigation into South Carolina’s Medicaid agency. The investigation was conducted in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services the same year. 74 gigabytes of data were stolen from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also stolen. An employee of the Department of Health and Human Services was discovered to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the data to a personal email account. The employee was arrested and was sentenced to three years of probation and community service, although the hackers responsible for the cyberattack on the Revenue department were never caught. The purpose of the investigation was to determine whether the state had properly safeguarded data stored in the Medicaid...
Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea
A suspected hacktivist has been arrested after being rescued at sea off the coast of Cuba. Martin Gottesfeld, 31, from Somerville, Mass., is suspected of orchestrating two DDoS attacks on the computer network of a hospital in Boston last year, understood to the be Boston Children’s Hospital. Gottesfeld, who was under investigation for the cyberattacks, is believed to have fled Massachusetts recently to escape arrest. His home was searched by the FBI in October 2014 in connection with the distributed denial of service attack on the Boston Children’s hospital that occurred in April 2014. Somerville Police Department had recently been alerted to the disappearance of Gottesfeld and his wife after reports were received by concerned relatives and friends that the pair had not been seen for several weeks. Last week the police department visited Gottesfeld’s apartment to conduct a well-being check, but no one was home. Just a few days after the visit Gottesfeld turned up, although in a rather unusual place. He and his wife were found off the coast of Cuba in a small boat. They had issued a...
480,000 Patients Notified of Radiology Regional Center PHI Exposure
In December, Radiology Regional Center, PA., was alerted to a privacy breach by Lee County Solid Waste Division following the accidental release of medical documents in the street. The privacy breach occurred on December 19, 2015. Medical documents were being transported by Lee County Solid Waste Division for secure disposal. The paper files were due to be incinerated in accordance with Health Insurance Portability and Accountability Act Rules, but were accidentally released during transportation. The failure to secure the records resulted in them falling off the vehicle used to transport them. The documents containing highly sensitive medical data were strewn across the street and found their way into doorways, driveways, canals, and were blown all over the sidewalk. Patients Have Now Been Notified of the Privacy Breach Patients were notified of the breach of their private and confidential medical data on February 12, 2016, the same date that Office for Civil Rights received a HIPAA data breach report. Initially it was unclear exactly how many patients had been affected....



