Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual.

An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information.

The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed.

Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate.

All patients affected by the breach are now being notified and are being offered 12 months of membership to Experian IdentityWorks at no cost.

The breach summary on the HHS’ Office for Civil Rights breach portal indicates up to 35,000 patients have been affected by the incident.

Questcare Medical Services Discovers Email Account Breach

Questcare Medical Services, a Dallas, TX-based physician group, has announced the email account of an employee was compromised on February 13, 2019 as a result of a phishing attack. An investigation was immediately launched which revealed the compromised account contained protected health information. Affected patients were notified about the breach on April 12, 2019.

All individuals impacted by the breach had received medical services from Questcare in the Dallas, Fort Worth, or Arlington regions of Texas. The information potentially accessed by the attacker was limited to names, dates of birth and some clinical information. No sensitive financial information or Social Security numbers were exposed.

Questcare has provided further training to staff to improve security awareness and regular reminders about phishing will be sent to staff. Microsoft’s Advanced Threat Protection has also been implemented to provide enhanced protection against phishing attacks.

The number of individuals impacted by the breach has not yet been publicly disclosed.

RS Medical Experiences Phishing Attack

Vancouver, WA- based pain relief device manufacturer RS Medical has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. The purpose of the attack appears to have been to gain access to a company account to send phishing emails rather than obtain sensitive patient information.

After gaining access to the account, the attacker sent around 10,000 phishing emails which alerted the company to the account breach. The breach was detected within 2 hours of the account being accessed.

While PHI access is not suspected, it could not be ruled out with a high degree of certainty. Notification letters have been sent to all individuals whose PHI was included in the account. The breach summary on the HHS’ Office for Civil Rights breach portal indicates 1,911 individuals were affected by the phishing attack.

The exposed PHI was limited to names, dates of birth, phone numbers, home addresses, diagnosis codes, and details of the medical equipment and supplies that had been provided by RS Medical.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.