HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Central Florida Inpatient Medicine Email Security Incident Reported

Lake Mary, FL-based Central Florida Inpatient Medicine (CFIM) has recently discovered that the email account of an employee has been accessed by an unauthorized individual, who may have viewed emails and files containing patients’ protected health information.

The substitute breach notice states that CFIM learned that the email account contained sensitive patient data on May 5, 2022; however, the email account was breached between August 21, 2021, and September 17, 2021. The delay in issuing notifications to affected individuals was due to “an extensive forensic investigation and comprehensive and time-consuming manual document review.”

The review revealed the emails and attachments included information such as names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also exposed. CFIM said no evidence was found to indicate any patient data has been misused.

Affected individuals have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity. Complimentary credit monitoring services have been offered to individuals who had Social Security numbers exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

CFIM said further technical safeguards have been implemented to prevent similar incidents in the future, including multifactor authentication, and additional training has been provided to employees to increase awareness of the risks of malicious emails.

Initially, the breach was thought to have affected up to 198,000 individuals, but it has now been reported to the HHS’ Office for CIvil Rights as affecting 19,625 individuals.

Yale New Haven Hospital Says Patient Data Exposed over the Internet

Yale New Haven Hospital in Connecticut has announced that a file that was created for research purposes has been accidentally posted online on a public-facing website and was potentially accessed by a limited number of unauthorized individuals. The exposed file was detected by the hospital on April 18, 2022, and was immediately removed to prevent any further unauthorized access. Yale New Haven Hospital has confirmed that the file is no longer accessible over the Internet.

A third-party forensics firm was engaged to assist with the investigation and determined that the file had been uploaded on December 16, 2021, and remained accessible until April 18, 2022. The upload was not malicious and occurred as a result of human error.

The file related to radiology services provided, and included protected health information such as names, telephone numbers, email addresses, age ranges, preferred languages, medical record numbers, procedure types, and dates and location of services.

A spokesperson for Yale New Haven Hospital said the incident prompted a review of security permissions for Internet-facing systems, and further training and guidance have been provided to employees to remind them of the continued need to safeguard patient health information. Existing technical safeguards have also been enhanced to better protect patient data.

The HHS’ Office for Civil Rights website indicates 19,496 have been affected by the data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.