UCLA Health Patient Receives 9 Incorrect Breach Notification Letters
The UCLA Health cybersecurity attack exposed the data of 4.5 million patients, most of whom have been informed if they have been affected by the breach; however it took a considerable amount of time for patients to receive their breach notification letters, and for one victim in particular, the notification process ran anything but smoothly. According to a recent LA Times report, UCLA Health patient, Steve Reasner, was kept in the dark about the risk of identity risk that he faced, and it took many weeks since his data was exposed to learn he had been affected. After hearing about the data breach on the news, Reasner wondered if his information was now in the hands of the hackers. He had previously used UCLA Health services and could conceivably have had his confidential data stolen. He waited for a letter to arrive in the mail, and a few days later he received not one breach notification letter but nine. To add to his confusion, none of the letters were addressed to him. They had his address on the envelope, but the names of different individuals who had – presumably –...
Akron Children’s Hospital Reports Loss of Voice Recordings
Ohio’s Akron Children’s Hospital has reported the loss of a hard drive used to store backed up copies of voice recordings of conversations between medical staff and dispatchers. The backup drive was physically secured under lock and key at the hospital, but the data was not encrypted. An investigation into the equipment loss was conducted by hospital staff as soon as the driver was discovered to be missing. According to Akron Children’s Hospital’s COO, Grace Wakulchik, “Our internal investigation indicated the hard drive was lost and nothing malicious was involved.” Since the storage facility was in a secure location of the hospital, it is highly unlikely that the device was stolen by a patient or member of the public, the most probably explanation being the devices was simply misplaced. Limited Protected Health Information Exposed The recordings were made between Sept. 18, 2014, and June 3, 2015 and involved brief conversations between physicians’ offices and hospital emergency departments. During these conversations a limited amount of Protected Health Information (PHI) of...
University of Oklahoma Department of Obstetrics and Gynecology Announces Data Breach
A physician from the University Of Oklahoma College of Medicine’s Department of Obstetrics and Gynecology became a victim of crime this summer, when a laptop computer was stolen from a vehicle where it had been temporarily housed. Unfortunately, the protected records of 7,693 patients were stored on the laptop and the device was not encrypted. The laptop contained two separate lists of data, the first including information about patients who had visited either the Department of Obstetrics and Gynecology’s Outpatient Surgery Center or Presbyterian Tower center between January 1, 2009, and December 31, 2014. The lists contained the names of patients, the date a gynecologic or urogynecologic medical procedure was performed, details of that medical procedure, and admission and discharge dates. Also stored with that data were patient names, dates of birth, ages, medical record numbers and patient account numbers. No insurance information, financial details or Social Security numbers were exposed in the security breach. The second list contained data about patients who had received...
Mobile Devices Biggest Enterprise Cybersecurity Vulnerability
A news release issued by Check Point Software suggests mobile devices now represent the biggest threat in the security chain; a potential problem for healthcare organizations operating a BYOD scheme. Mobile devices are now viewed as one of the easiest entry points into an otherwise protected computer network and are now the biggest enterprise cybersecurity vulnerability according to the report. Large healthcare providers should take note, as they are likely to be particularly vulnerable to attack, purely because of the number of mobile devices they have in operation. According to Check Point Researchers, organizations allowing 2,000 or more mobile devices to connect to the network have a 50% chance of at least six devices being infected or having been targeted by cybercriminals. 72% of IT professionals agreed that for the coming year, the top security challenge is securing corporate information; however in close second place (67%) was dealing with personal device security. Securing, storing and segregating personal and corporate data on mobile devices is a major challenge. Key...
Potential PHI Disclosure After Employee Works from Home with Hospital Data
The William W. Backus Hospital has sent breach notification letters to 360 individuals alerting them that their Protected Health Information (PHI) may have been viewed by an unauthorized individual. The information potentially viewed includes patient names, medical record numbers, dates of treatment, and information relating to the diagnoses and treatment provided to patients. The hospital confirmed to patients that no Social Security numbers, financial information or insurance details had been disclosed. Individuals affected by the breach had previously visited the hospital’s emergency room for treatment. Under the Health Insurance Portability and Accountability Breach Notification Rule, HIPAA-covered entities are obliged to report all breaches of PHI to the Department of Health and Human Services’ Office for Civil Rights (OCR); however, since the data breach involved fewer than 500 individuals, the breach notice does not need to be submitted to the OCR until the end of February 2016. A breach notice only needs to be issued to the media if more than 500 individuals have been...



