HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by Alameda Health System, Aon, and Capsule Pharmacy

Alameda Health System in California, Capsule pharmacy in New York, and Aon PLC in Illinois have recently reported data breaches affecting a total of 56,290 individuals.

Alameda Health System Notifying 90,000 Patients About PHI Breach

Oakland, CA-based Alameda Health System has recently reported a data breach to the Department of Health and Human Services’ Office for Civil Rights that has affected up to 90,000 patients. Limited information has been released so far on the nature of the breach. Alameda Health System said suspicious activity was detected in the email accounts of certain employees with the investigation confirming several employee email accounts had been accessed by an unauthorized third party.

The review of those accounts confirmed they contained the protected health information of patients, although it is currently unclear to what extent patient information has been compromised. Alameda Health System said no evidence has been found that suggests any information in the accounts has been viewed or removed. Notification letters will be sent to affected individuals shortly, and measures will be implemented to improve security and mitigate harm to patients.

Capsule Pharmacy Breach Affects 27,486 Individuals

Capsule, a NY-based digital pharmacy, has started notifying 27,486 individuals that some of their protected health information has been exposed in a recent cyberattack. According to the breach notification sent to the California Attorney General, unauthorized individuals gained access to certain Capsule accounts on April 5, 2022.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The security breach was detected the same day and a password reset was performed on all affected accounts. A third-party digital forensics firm was engaged to assist with the investigation, which confirmed that the following types of information had potentially been compromised: demographic information such as names, email addresses, phone numbers, addresses, birthdates, and sex, health information including medical conditions and prescribed medications, past order histories, insurance information, chat messages to and from Capsule agents, and the last 4 digits of credit card numbers and expiry dates.

Capsule said additional security safeguards are being implemented. While a password reset has been performed on all affected accounts, Capsule has recommended users “set different passwords for your different accounts, use complex passwords or passphrases that are not easy to guess, and not reuse previous passwords,” which suggests the security breach may have been a password spraying attack.

PHI of More Than 28,700 Individuals Potentially Compromised in Aon PLC Cyberattack

Aon PLC, a Chicago, IL-based business associate that provides financial risk-mitigation products, including insurance and health insurance plans, has recently announced that it was the victim of a cyberattack. The security breach was discovered on February 25, 2022, with the forensic investigation confirming an unauthorized third party had gained access to certain Aon systems at various times between December 29, 2020, and February 26, 2022, and that certain documents containing individuals’ protected health information had been removed from its systems.

Aon said it has taken steps to confirm that the removed information is no longer in the possession of the third party there are no indications that the removed information has been further copied, retained, or shared, and there is no reason to suspect that any information has or will be misused. The affected information was limited to names, Social Security numbers, driver’s license numbers, and, for a limited number of individuals, benefit enrolment information. Aon said the incident was reported to the Federal Bureau of Investigation and other law enforcement authorities, and steps have been taken to further enhance security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.