HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Breaches Reported by St. Luke’s Health-Memorial Lufkin, RiverPointe Post Acute, and Iowa Total Care

CHI St. Luke’s Health-Memorial Lufkin in Texas has started notifying patients that some of their protected health information may have been accessed by an unauthorized individual.

St Luke’s threat management team investigated a security breach involving a network server on March 25, 2020. Third-party vendors conducted a forensic investigation and determined on April 23, 2020 that the email accounts of two employees may have been accessed by an unapproved outside party.

The investigation did not uncover evidence confirming unauthorized PHI access or data theft, but the possibility could not be ruled out. The email accounts contained names, diagnosis information, dates of services, and facility account numbers. Based on the investigation, St. Luke’s does not believe patient data has been used inappropriately but has offered certain patients complimentary credit monitoring services through Experian as a precaution.

The security breach was thoroughly investigated, data access logs were checked, and a threat intelligence analysis was performed. All passwords were reset across the facility, hardware has been replaced and upgraded, changes have been made to software to improve security, and processes for accessing the network have been changed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

RiverPointe Post Acute Reports Loss of 633 Patients’ PHI

RiverPointe Post Acute Carmichael, CA has notified 633 nursing home residents that some of their protected health information has been exposed. A USB storage device containing names, insurance ID numbers, and some Social Security numbers was sent in the mail but was lost in transit. When the device was not received, the loss was reported to the postal service and a search was performed, but the storage device could not be located.

While no specific evidence was uncovered to indicate the device was obtained by an unauthorized individual, affected residents have been offered complimentary identity theft protection services as a precaution. Further training has now been provided to employees on data security.

Email Error Exposed PHI of 11,500 Iowa Total Care Members

Iowa Total Care has discovered the protected health information of thousands of patients has been impermissibly disclosed by an employee. On April 29, 2020, an employee sent an Excel spreadsheet containing claims data to a large provider organization. The file contained the protected health information of patients that had not received medical care at the organization.

The spreadsheet contained names, Medicaid ID numbers, dates of birth, and procedure and diagnosis codes of 11,581 patients. The provider is a HIPAA covered entity so is aware of the need to safeguard protected health information and has confirmed that the spreadsheet was deleted and had not been shared or copied.

Iowa Total Care has re-educated the employee concerned and has implemented additional safeguards to prevent similar errors in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.