Breaches Reported by Northwestern Memorial Hospital, Apex Laboratory, and Five Points Eye Care

Share this article on:

Northwestern Memorial Hospital in Chicago discovered a former temporary worker may have inappropriately viewed the medical records of certain patients while employed at the hospital.

The unauthorized access was detected on December 2, 2020. A review of access logs revealed the individual viewed patient records without a work-related purpose for doing so between October 27, 2020 and December 2, 2020.  The information potentially viewed was limited to patient names, addresses, and treatment information. The worker did not have access to financial information or Social Security numbers.

Northwestern Memorial Hospital issued a statement about the privacy breach confirming the records of 682 patients may have been viewed and confirmed that the temporary worker is no longer employed by the hospital. It is unclear why the records were accessed. All affected patients are being notified about the privacy breach by mail and the incident has been reported to appropriate authorities.

The HHS’ Office for Civil Rights breach portal shows 682 patients were affected by the breach.

Apex Laboratory Victim of DoppelPaymer Ransomware Attack

Apex Laboratory, a provider of home laboratory services in the New York metropolitan area and South Florida, was the victim of a DoppelPaymer ransomware attack in July 2020. Thousands of files have recently been uploaded to the data leak site of the DoppelPaymer ransomware gang, many of which contained the protected health information of patients and sensitive employee data.

Databreaches.net reports that after contacting Apex Laboratory about the breach, the dumped data was removed from the DoppelPaymer leak site. In a December 31, 2020 breach notice posted on the Apex Laboratory website, the laboratory confirmed that it suffered a ransomware attack on July 25, 2020 and that the encrypted data was restored on July 27, 2020.

The data uploaded to the leak site is presumed to have been obtained in the July cyberattack. Apex Laboratory confirmed that after being notified about the dumped records, steps were immediately taken to ensure the attackers removed the data from the leak site. The dumped data is believed to have included patient names, birth dates, test results, and a limited number of phone numbers and Social Security numbers. The investigation into the breach is ongoing and breach notification letters will be mailed to victims in the next few days.

Athens Optometrist Reports Potential Breach of Patient Data

Five Points Eye Care in Athens, GA has discovered an unauthorized individual gained access to its network and potentially viewed/obtained patient information. The breach occurred on October 27, 2020 and was detected and remediated the same day.

The breach was limited to the email system, which only contained correspondence sent to the optometrist from other treating physicians. Those emails contained names, dates of birth, Social Security numbers, addresses, medications, and treatment plans. A forensic investigation confirmed no other information could be accessed.

The security breach was reported to law enforcement and affected individuals have been notified by mail and offered a year of free credit monitoring services.

The HHS’ Office for Civil Rights breach portal shows 1,223 patients were affected by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On