St. Luke’s Cornwall Hospital Notifies 29K Patients of Data Exposure
St. Luke’s Cornwall Hospital has issued a media announcement providing further information on the 29,156-record data breach that occurred on October 31, 2015. The hospital has explained that the breach occurred when an unidentified individual entered a restricted area of the hospital and stole a thumb drive containing a limited amount of patient data. The device was unencrypted and contained patient names, medical record numbers, details of imaging services provided, and the dates of patient visits. Some administration information was also stored on the thumb drive, although no financial information, insurance details, health information, or Social Security numbers were compromised. While the incident was discovered quickly, the hospital had to conduct an investigation to determine the exact data that were stored on the thumb drive and which patients were affected. The investigation has now been completed and patients have been notified by mail of the breach of their protected health information. The Department of Health and Human Services’ Office for Civil Rights was informed of...
Franciscan St. Francis Health Patients Targeted by Phone Scammers
Franciscan St. Francis Health, a health system serving patients in Indianapolis and south-central Indiana, has been alerted to a new telephone scam targeting its patients. St. Francis was recently contacted by a patient who had been contacted by telephone and told she was required to pay an outstanding debt for a pacemaker provided by the hospital. The call appeared to emanate from within Franciscan St. Francis. The telephone number used for the call appeared to be from the hospital’s internal phone system. The patient, a 78-year old woman, was given two choices. Pay the debt or return the pacemaker if it had not been used. Fortunately, the woman felt that something wasn’t right and contacted the hospital and discovered the call was a scam. It is unclear how the scam artist obtained the phone number of the patient, or how that person was aware of the medical device used by the woman. According to a statement issued by the hospital to CBS, the caller ID of the hospital had been spoofed to make the call appear to have come from the hospital. The matter has now been reported to...
Six Missing Hard Drives Reported by Centene: 950,000 Members Affected
Wisconsin-based health insurer, Centene Corporation, has announced the loss of six unencrypted computer hard drives containing the protected health information of approximately 950,000 of its members. The hard drives were being used for a project to improve the health outcomes of plan members. The individuals impacted by the security breach had all received laboratory services between 2009 and 2015. The data stored on the devices included names, addresses, dates of birth, member ID numbers, Social Security numbers, and laboratory test results. An initial search was conducted after it was discovered that the devices were missing, although a more comprehensive search of Centene facilities in now being conducted. That search is ongoing according to the company’s breach notice. It is possible that the hard drives will be found, although Centene has now taken the step of alerting its members to the potential exposure of their PHI out of an abundance of caution. Also out of an abundance of caution, all 950,000 members have been offered a year of credit monitoring services without charge....
Patients of Alaska Orthopedic Specialists Advised of PHI Breach
Anchorage-based healthcare provider, Alaska Orthopedic Specialists, has alerted 553 patients about a breach of their protected health information. The healthcare provider is no longer in business, having closed its doors in March 2015. While closing the business, it was discovered that a former non-physician member of staff had emailed the data of 553 patients to a personal email account, against company policy and without authorization. According to the defunct company’s breach notice, efforts have been made to secure the stolen data. It is not clear whether those data have now been securely, and permanently deleted. The theft of data was reported to the Department of Health and Human Services’ Office for Civil Rights on November 19, 2015., although it has not been made public exactly what data were stolen or when the email was sent. The data were presumably emailed to the personal email account prior to the closure of the business. The breach notice states that no evidence of disclosure of the data has been found and neither any evidence that those data have been used...
Californian Oncologist Announces PHI Theft
In November, 2015, the offices of Californian oncologist/hematologist, Michael S. Benjamin, M.D., were burgled. The thieves stole a number of paper charts which contained a limited amount of protected health information of his patients. Patients have now been notified of the data breach by mail, and the Department of Health and Human Services’ Office for Civil Rights (OCR) was alerted to the security breach on December 28, 2015. The breach report listed on the OCR breach portal indicates 1,300 individuals were impacted by the breach. When a data breach is suffered that impacts more than 500 individuals, in addition to issuing individual breach notification letters to the victims, HIPAA-covered entities are obliged to provide a notice to “prominent media outlets serving the State or jurisdiction.” As with the issuing of the individual notices, covered entities have up to 60 days following the discovery of a breach in order to do this. According to the media notice, a number of data were contained in the charts, which included names of patients, dates of birth, addresses, phone...



