Sutter Health Physician Suffers Second 2015 Data Breach
In a press release issued to the media on May 19, 2015, Sutter Health Physician, Sharon J. Jones, M.D. announced that her office facilities had suffered a break-in and a desktop computer, two laptop computers, a computer server, and 17 patient charts were stolen. The break-in occurred overnight on March 20, 2015. The breach has now been reported to the Office for Civil Rights as affecting 1,342 individuals. This is not the first time the offices have suffered at the hands of burglars, and in only January of this year the same facilities were broken into and 350 patient charts were stolen along with a credit card register. The thief appears to be persistent. Following the second break-in, Jones hired a security guard who managed to stop a third break-in attempt three days later. Jones stated that she has employed new security measures to protect patient records, one of which appears to be moving her office from San Pablo to Richmond, which she plans on doing in the next 6 months. In the latest incident, the press release does not describe the information contained in the patient...
Employee Email Causes Second HHC Hospital HIPAA Breach
A New York City Health and Hospitals Corporation (HHC) hospital HIPAA breach has been reported in which 3,334 patients’ Protected Health Information (PHI) was exposed after an employee emailed a spreadsheet to the email account of a relative. The HIPAA breach was discovered on February 27, 2015, although the email was sent more than a month previously on January 15, 2015. Belleview Hospital posted a copy of the breach notification letters (dated April 28, the same day as the breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights) almost two months after the discovery of the breach. Under the HIPAA Breach Notification Rule, covered entities have up to 60 days to report breaches and issue breach notices when a data breach exposes the PHI of more than 500 individuals, although the notices should be issued without unreasonable delay. How the Belleview Hospital HIPAA Breach Occurred The employee in question was provided with a spreadsheet that included patient names, telephone numbers, and email addresses in addition to their medical record...
CareFirst BCBS Reveals 1.1 Million-Record Cyberattack
CareFirst BCBS Security Audit Reveals 1.1 Million-Record Cyberattack CareFirst BlueCross BlueShield has discovered a cybercriminal infiltrated its computer network last year on what appears to be a single occasion. Protected data of approximately 1.1 million individuals has potentially been disclosed in the incident. Following the two mega data breaches to hit health insurers this year – Anthem’s hack exposed 78.8 million-records and Premera’s 11 million – and the Community Health Systems 4.5 million record-breach last year, CareFirst BCBS decided to take a closer look at its own systems and check for suspicious activity. The insurer used an external IT security company, Mandient, to conduct a thorough inspection of its computer network and database. That internal review uncovered a cyberattack had occurred in which the insurer’s cybersecurity defenses were shown to have been breached on June, 20, 2014. No Healthcare Data or Social Security Numbers Exposed The information accessed was contained in a single database, according to a breach notice posted on a website set up to...
Consolidated Tribal Health Project Learns of Employee HIPAA Breach
The Consolidated Tribal Health Project, Inc. (CTHP) has discovered that a former employee accessed Protected Health Information (PHI) and Personally Identifiable Information (PII) information stored on its computer network that the individual had no legitimate reason for viewing. In accordance with the HIPAA Breach Notification Rule, a breach notice has been issued to the media and CTHP said it started mailing notification letters to affected individuals on May, 12. No mention was made of when CTHP learned of the data breach or for how long it had continued before it was detected. The press release did confirm that an investigation is underway to determine the nature and scope of the incident, and law enforcement officers have been notified and are conducting a criminal investigation. CTHP enlisted the help of external computer forensics experts to analyze login and access attempts and to ascertain exactly what data was exposed and how many individuals were affected. Social Security Numbers and Financial Information of Patients and Employees Compromised The total number of victims...
Burglary at Minn. Associated Dentists Exposes Patient Health Records
A burglary at the Roseville offices of Associated Dentists has exposed the Protected Health Information (PHI) and Personally Identifiable Information (PII) of an as-of-yet undisclosed number of individuals after the laptops of two physicians were stolen by the thief. The theft occurred after working hours on Thursday, March 19, and was discovered the following day. One of the laptop computers was encrypted, so it would not be possible for the thief to access any protected information. The other laptop was protected with a password, and while this does offer a rudimentary level of protection, for a hacker or computer expert it is unlikely to prove sufficient to prevent data from being viewed. The data stored on the password-protected laptop included the names of patients, their addresses, dates of birth, and Social Security numbers. In some cases, additional information was stored in patient’s records such as email addresses, medical billing information, procedures performed, physician’s name, insurance carrier name, policy number, and diagnosis information. The risk of identity...



