25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Posted By on Apr 18, 2019

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual. An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information on three separate occasions. That individual was a former contractor whose access rights were not terminated promptly when services stopped being provided.

The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information in medical records could not be accessed and no financial information was exposed.

Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity have been validated for all user accounts. A review of policies and procedures is being conducted with regard to the accessing of patient information and updates will be made as appropriate. All patients affected by the breach are now being notified and are being offered 12 months of membership to Experian IdentityWorks at no cost.

The breach summary on the HHS’ Office for Civil Rights breach portal indicates up to 35,000 patients were affected by the incident. OCR investigated the breach and determined the PHI of approximately 34,310 patients had been accessed without authorization and Gulf Coast Pain Consultants was in violation of four provisions of the HIPAA Security Rule. A civil monetary penalty of $1.19 million was imposed to resolve the alleged violations.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Questcare Medical Services Discovers Email Account Breach

Questcare Medical Services, a Dallas, TX-based physician group, has announced the email account of an employee was compromised on February 13, 2019 as a result of a phishing attack. An investigation was immediately launched which revealed the compromised account contained protected health information. Affected patients were notified about the breach on April 12, 2019.

All individuals impacted by the breach had received medical services from Questcare in the Dallas, Fort Worth, or Arlington regions of Texas. The information potentially accessed by the attacker was limited to names, dates of birth and some clinical information. No sensitive financial information or Social Security numbers were exposed.

Questcare has provided further training to staff to improve security awareness and regular reminders about phishing will be sent to staff. Microsoft’s Advanced Threat Protection has also been implemented to provide enhanced protection against phishing attacks.

The number of individuals impacted by the breach has not yet been publicly disclosed.

RS Medical Experiences Phishing Attack

Vancouver, WA- based pain relief device manufacturer RS Medical has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. The purpose of the attack appears to have been to gain access to a company account to send phishing emails rather than obtain sensitive patient information.

After gaining access to the account, the attacker sent around 10,000 phishing emails which alerted the company to the account breach. The breach was detected within 2 hours of the account being accessed.

While PHI access is not suspected, it could not be ruled out with a high degree of certainty. Notification letters have been sent to all individuals whose PHI was included in the account. The breach summary on the HHS’ Office for Civil Rights breach portal indicates 1,911 individuals were affected by the phishing attack.

The exposed PHI was limited to names, dates of birth, phone numbers, home addresses, diagnosis codes, and details of the medical equipment and supplies that had been provided by RS Medical.

 

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist