PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts

Share this article on:

Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual.

That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2014, and was given access to systems containing health plan records to complete her contracted duties.

On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed.

The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately.

The types of information potentially viewed included names, addresses, phone numbers, dates of birth, medical information, prescription information, and Social Security numbers.

The California’s Department of Health Care Services was notified about the incident and advised CCHP to issue notifications to all plan members whose records had been accessed. Those individuals have been offered complimentary credit monitoring, identity theft protection, and identity restoration services out of an abundance of caution.

Ramsey County Social Services Notifies Patients of Phishing Breach

Ramsey County Social Services in St. Paul, MN, experienced a phishing attack on August 9, 2018 that resulted in the email accounts of 28 employees being accessed by unauthorized individuals.

After gaining access to the email accounts, the attackers attempted to redirect employees’ paychecks. Prompt action was taken to block the attack and secure the accounts and a data security firm was hired to conduct a thorough investigation of the breach.

On October 12, 2018, the data security firm notified Ramsey County Social Services that the hackers had potentially viewed emails in the account that contained the protected health information of approximately 500 patients, most of whom had used the agency’s chemical and mental health services.

The types of information contained in the accounts included names, addresses, dates of birth, Social Security numbers, and a limited amount of medical information. Patients affected by the breach were notified in early December. No reports have been received to suggest any information in the email accounts has been misused.

To better protect employee email accounts, a tool has been implemented to ensure employees set strong passwords and multi-factor authentication has been implemented to prevent accounts from being accessed from unknown locations and devices. New security software has also been implemented that offers enhanced monitoring and auditing capabilities and employees have been provided with further training.

Author: HIPAA Journal

Share This Post On