HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts

Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual.

That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2014, and was given access to systems containing health plan records to complete her contracted duties.

On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed.

The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The types of information potentially viewed included names, addresses, phone numbers, dates of birth, medical information, prescription information, and Social Security numbers.

The California’s Department of Health Care Services was notified about the incident and advised CCHP to issue notifications to all plan members whose records had been accessed. Those individuals have been offered complimentary credit monitoring, identity theft protection, and identity restoration services out of an abundance of caution.

Ramsey County Social Services Notifies Patients of Phishing Breach

Ramsey County Social Services in St. Paul, MN, experienced a phishing attack on August 9, 2018 that resulted in the email accounts of 28 employees being accessed by unauthorized individuals.

After gaining access to the email accounts, the attackers attempted to redirect employees’ paychecks. Prompt action was taken to block the attack and secure the accounts and a data security firm was hired to conduct a thorough investigation of the breach.

On October 12, 2018, the data security firm notified Ramsey County Social Services that the hackers had potentially viewed emails in the account that contained the protected health information of approximately 500 patients, most of whom had used the agency’s chemical and mental health services.

The types of information contained in the accounts included names, addresses, dates of birth, Social Security numbers, and a limited amount of medical information. Patients affected by the breach were notified in early December. No reports have been received to suggest any information in the email accounts has been misused.

To better protect employee email accounts, a tool has been implemented to ensure employees set strong passwords and multi-factor authentication has been implemented to prevent accounts from being accessed from unknown locations and devices. New security software has also been implemented that offers enhanced monitoring and auditing capabilities and employees have been provided with further training.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.