HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Breaches Reported by Hanger Clinic, Gateway Health, and Sunrise Treatment Center

Sunrise Treatment Center in Cincinnati, OH is alerting 3,660 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of an employee. The breach occurred on February 26, 2020 and was detected the following day.

A forensic investigation of the breach was completed on April 15, 2020 and confirmed that the email account contained patient information such as first and last names, birth dates, descriptions of the treatment provided, medications, health plan numbers, account balances, treatment dates, and some Social Security numbers.

While patient information may have been accessed, the purpose of the attack was to try to convince Sunrise employees to wire money to a foreign bank account. A fraudulent wire transfer was detected and blocked before any money left Sunrise accounts.

Sunrise found no evidence to suggest patient information was accessed or obtained in the attack but, as a precaution, Sunrise has offered affected patients complimentary membership to credit monitoring services for 12 months. Following the breach, a third-party specialist was engaged to conduct a comprehensive security assessment and additional safeguards have now been implemented to prevent further attacks.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

PHI of Gateway Health Members Exposed in Business Associate Phishing Attack

Gateway Health, a managed care organization serving members in Pennsylvania, has discovered the protected health information of some of its members has potentially been compromised.

Gateway Health uses National Imaging Associates (NIA) to review orders for imaging services. On April 11, 2020, NIA discovered its systems had been breached and an unauthorized individual had gained access to its email system. The investigation confirmed that access to emails was gained following a response to a phishing email.

The compromised emails included Gateway Health members’ names, dates of birth, Gateway ID numbers, treatment information, payment and health plan information.

The compromised email account was used to conduct further phishing attacks. No evidence was found to suggest Gateway Health members’ information was accessed or stolen and no reports have been received about misuse of members’ personal and protected health information.

NIA has taken steps to improve security and has offered all affected Gateway Health members complimentary membership to credit monitoring services for 12 months.

Hanger Clinic Reports Improper Disposal Incident

Hanger Prosthetics & Orthotics, Inc., doing business as Hanger Clinic, has discovered a storage facility used by its Kirksville location in Missouri was accessed by storage facility staff who disposed of boxes of files containing patient records.

When Hanger Clinic learned about the incident, staff members were sent to the storage facility to secure the remaining records. Those records have now been recovered and the storage facility is no longer being used.

The files contained the records of 6,033 patients. Information in the files included names, addresses, dates of birth, dates of service, medical record numbers, treatment histories, copies of driver’s licenses, prescription information, insurance information, and Social Security numbers.

As a precaution against identity theft and fraud, affected patients have been offered complimentary identity theft protection and credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.