OIG Publishes Findings of Utah Department of Health Security Audit
The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.” The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers. The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals. The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was...
Borgess Rheumatology Informs 700 Patients of Mailing Error
Borgess Rheumatology has announced that 700 of its patients have been impacted by a mailing error that occurred on December 9, 2015., that exposed their PHI. While no Social Security numbers or other highly sensitive data have been disclosed, affected patients have had their name and the fact that they receive medical services at Borgess Rheumatology disclosed to another patient. In each case, a single patient will have been made aware of the name of another patient who receives treatment at Borgess Rheumatology and that prescription medications were used by that individual. No health information or sensitive data such as Social Security numbers or Insurance details were detailed in the letters. While affected patients have had their privacy violated, due to the very limited data that was inadvertently disclosed, patients are unlikely to face any risk of identity theft as a result of the mailing mistake. In a statement issued to West Michigan News Channel 3, Borgess Rheumatology said the error occurred on December 9, 2015, and that the mistake was discovered the following day....
Louisiana Healthcare Connections Breach Affects 13K Medicaid Recipients
Louisiana Healthcare Connections (LHCC) is notifying approximately 13,000 Medicaid recipients that some of their protected health information has been stolen by a former employee and disclosed to a third party. The data breach affects individuals who have enrolled in LHCC in the Acadiana Region of Louisiana. LHCC became aware of the data breach on December 3, 2015, after being notified of a potential security breach by the Louisiana Attorney General’s Medicaid Fraud Control Unit. The fraud control unit was conducting an investigation into Medicaid fraud that involved data taken from LHCC. LHCC was informed that an individual had fraudulently gained access to LHCC’s provider website and had downloaded a list of patients. The individual in question worked at a physician’s office, and had used the login credentials of another person to gain access to patient data and had downloaded a list of approximately 13,000 patients. That list was subsequently provided to another individual who was not authorized to view the data. The patient list was unlawfully downloaded on March 3, 2015. The...
Another Tampa General Hospital Employee Indicted for PHI Theft and Fraud
This week, another former employee of Tampa General Hospital has been indicted on charges of tax refund fraud, aggravated identity theft, and wrongful disclosure of health information. This is the second former employee of the hospital who has been accused of stealing patient data with a view to committing tax fraud. The first case concerned a former records clerk, Tigi Moore, who stole the protected health information of patients in 2012 and used the information to file false tax returns. Moore and her co-conspirators managed to obtain $671,022.99 in fraudulent tax refunds before being apprehended. The trio had actually filed tax returns requesting around $1.8 million. In 2014, Moore pleaded guilty to charges of aggravated identity theft, theft of government property, and conspiracy and was sentenced to serve 4 years in jail. The latest case concerns Shakania Benton, 37, who worked as a unit coordinator at Tampa General Hospital between February 2007 and August 2014, when she was fired for stealing patient data from the hospital. The data theft was not discovered by the hospital,...
Medicap Pharmacy Warns Des Moines Customers of Potential Data Breach
The Medicap Pharmacy, a franchise of pharmacy stores operating in 28 U.S. states, has announced a data breach that impacts customers who visited one of its pharmacies in Des Moines. Customers who filled prescriptions between June 2014., and November 3, 2015., at the Medicap Pharmacy located at 2804 Beaver Ave, Des Moines, Iowa, may have had some of their protected health information exposed. Affected individuals are being notified by mail of the data breach, which exposed customer names, home addresses, contact telephone numbers, dates of birth, Social Security numbers, insurance information, prescribed medications, cost of those medications, and prescriber information. The data were stored on a portable external hard drive which was accidentally disposed of on November, 5, 2015. While it was known that the hard drive contained sensitive information of some of its customers, the pharmacy initially thought that those data had been encrypted. While that appears to have been the case for some customers, not all data stored on the drive were protected with encryption. Medicap Pharmacy...



