Florida Hospital Group Notifies Patients of Employee Data Theft
A hospital in central Florida has sent breach notification letters to 94 patients informing them that their Social Security numbers, dates of birth, annual income and full names have been inappropriately accessed by a former employee of the hospital. The data breach was reported to Channel 9 News by a former patient of a Community Health Centers hospital facility who recently received a breach notification letter in the post informing her that her Protected Health Information (PHI) had potentially been stolen. She was told in the letter that she may be at risk of becoming a victim of identity theft and that her data may be used for fraudulent purposes. Following the discovery of the breach the employee’s access to CHC’s patient database was terminated, as has her employment. In the letter, CHC advised patients that it will be “working on enhanced privacy monitoring systems” to reduce the risk of insider HIPAA breaches happening in the future, and to rapidly identify inappropriate access should it happen again. It is not clear at this stage whether the employee accessed the...
Texas Department of Aging and Disability Services Discovers Potential 8-Year HIPAA Breach
The Texas Department of Aging and Disability Services (DADS) has started notifying patients of an error that resulted in a HIPAA breach that exposed the Protected Health Information (PHI) of 6,600 Medicaid recipients. The error involved web application data being accessible via the internet when the application was intended to be for internal use only. DADS was alerted to the error on April 27, 2015, although the breach notice did not state when the error was made or for how long the data was freely available over the Internet. A news report in The Statesman indicates that the data could potentially have been exposed for up to 8 years. Investigations into the DADS HIPAA Data Breach Continue DADS is unsure how the data breach occurred, although an investigation into the matter is ongoing. At this point in time, the most likely cause of the data breach was human error, with a mistake made when the application was developed, although according to departmental spokesperson, Cecilia Cavuto, “it is possible the data had accidentally been posted online when its handling was transferred to...
Hackers Steal Patient Data from Medical Software Company
Medical Informatics Engineering, a provider of software solutions for the healthcare industry, has reported it has been the target of a successful hacking campaign that resulted in Protected Health Information (PHI) being obtained by hackers. The data breach has affected an as-of-yet undisclosed number of patients of the following healthcare clients: Concentra Health Fort Wayne Neurological Center Franciscan St. Francis Health, Indianapolis Gynecology Center, Inc. Fort Wayne McDonough District Hospital (1,200 patients affected) Rochester Medical Group According to the press release issued by Medical Informatics Engineering – posted on Business Wire – Medical Informatics Engineering discovered “suspicious activity relating to one of its servers” on May 26, 2015. The cybercrime division of the FBI was notified and an investigation into the hack is ongoing. A forensic analysis of the affected servers determined that the personal information exposed in the Medical Informatics Engineering data breach included patient names, home/mailing addresses, email addresses, and dates of...
Website Error Exposes PHI of Blue Shield of California Members
A website programing glitch has caused a data breach which has exposed the confidential records of 843 members of Blue Shield of California (BSoC). The unintentional coding error resulted in authorized users being displayed information of other individuals via the health plan’s secure administrator website. The data was displayed when two users logged into the system at the exact same time, with the other users records being displayed on screen. The glitch had a duration of 9 days, with data first compromised on May 9, 2015. The data breach only affects the website used by administrators and brokers of BSoC’s group health benefit plan. The breach occurred after an update was made to the code on the site. That error was not replicated on the public Blue Cross website. Blue Shield of California was informed of the data breach on May 18 following a call to its Privacy Office. The website was immediately taken offline to prevent any further exposure of confidential records and to give BSoC time to investigate the problem. The error was identified and the website was recoded within 24...
Billing Business Associate Exceeds Breach Notice Period by 7 Months
A payment processing Business Associate (BA) of North Shore-LIJ Health System – Global Care Delivery (GCD) – has reported the theft of five laptop computers; four of which are believed to have contained the Protected Health Information (PHI) of approximately 18,000 patients. The theft took place at GCD’s offices in Texas on or before September 2, 2014. The data stored on the laptop computers was not encrypted, although the devices were protected by passwords. While passwords offer some degree of protection, they can be cracked. The Health Insurance Portability and Accountability Act (HIPAA) demands that incidents such as this are classed as data breaches as PHI can potentially be viewed and used inappropriately. After the discovery of the theft on September 2, 2014, GCD reported the incident to law enforcement and an investigation was conducted to determine which data was stored on the laptops. GCD determined that the laptops contained patients’ first and last names, dates of birth, diagnosis and procedural codes, and internal account numbers. Insurance identification numbers...



