Central Florida Inpatient Medicine Security Incident Affects Almost 198,000 Patients

Lake Mary, FL-based Central Florida Inpatient Medicine (CFIM) has recently discovered that the email account of an employee has been accessed by an unauthorized individual, who may have viewed emails and files containing patients’ protected health information.

The substitute breach notice states that CFIM learned that the email account contained sensitive patient data on May 5, 2022; however, the email account was breached between August 21, 2021, and September 17, 2021. The delay in issuing notifications to affected individuals was due to “an extensive forensic investigation and comprehensive and time-consuming manual document review.”

The review revealed the emails and attachments included information such as names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of Social Security numbers, driver’s license numbers, financial account information, and usernames and passwords were also exposed. CFIM said no evidence was found to indicate any patient data has been misused.

Affected individuals have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity. Complimentary credit monitoring services have been offered to individuals who had Social Security numbers exposed.

CFIM said further technical safeguards have been implemented to prevent similar incidents in the future, including multifactor authentication, and additional training has been provided to employees to increase awareness of the risks of malicious emails.

Yale New Haven Hospital Says Patient Data Exposed over the Internet

Yale New Haven Hospital in Connecticut has announced that a file that was created for research purposes has been accidentally posted online on a public-facing website and was potentially accessed by a limited number of unauthorized individuals. The exposed file was detected by the hospital on April 18, 2022, and was immediately removed to prevent any further unauthorized access. Yale New Haven Hospital has confirmed that the file is no longer accessible over the Internet.

A third-party forensics firm was engaged to assist with the investigation and determined that the file had been uploaded on December 16, 2021, and remained accessible until April 18, 2022. The upload was not malicious and occurred as a result of human error.

The file related to radiology services provided, and included protected health information such as names, telephone numbers, email addresses, age ranges, preferred languages, medical record numbers, procedure types, and dates and location of services.

A spokesperson for Yale New Haven Hospital said the incident prompted a review of security permissions for Internet-facing systems, and further training and guidance have been provided to employees to remind them of the continued need to safeguard patient health information. Existing technical safeguards have also been enhanced to better protect patient data.

The HHS’ Office for Civil Rights website indicates 19,496 have been affected by the data breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.