HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by Houston Area Community Services, County of Kings, and NYU Langone Health

Data breaches have recently been reported by Houston Area Community Services, County of Kings in California, and NYU Langone Health.

Avenue 360 Health and Wellness Reports Breach of Employee Email Accounts

Houston Area Community Services, Inc., doing business as Avenue 360 Health and Wellness, has discovered an unauthorized individual has gained access to the email accounts of certain employees and may have viewed or obtained the protected health information of 12,186 individuals.

Avenue 360 Health and Wellness said its investigation determined the email accounts were compromised between January 15, 2021, and April 2, 2021. A third-party vendor that specializes in the analysis of security incidents such as this was engaged to assist with the investigation.

A comprehensive review was conducted of all emails and attachments in the account. On November 9, 2021, Avenue 360 discovered the account contained names, medical record numbers, health insurance information, birthdates, diagnoses, clinical and treatment information, and prescription information. A limited number of individuals also had their Social Security numbers and/or financial information exposed.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Avenue 360 has not received any reports of actual or attempted misuse of patient data as a result of the email security breach. Notification letters started to be sent to affected individuals on January 5, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed. Email security has since been improved with anti-spam technology and multi-factor authentication.

Web Server Misconfiguration Exposed COVID-19 Data of 16,590 Individuals

County of Kings, a political subdivision of the State of California, has discovered a public web server has been misconfigured which resulted in the exposure of information about COVID-19 cases.

The data had been provided to County’s Public Health Department by the California Department of Public Health and County healthcare providers and included names, dates of birth, addresses, and COVID-19 related information. The misconfiguration was detected on November 24, 2021, and the issue was fully corrected on December 6, 2021. The investigation revealed the misconfiguration occurred on February 15, 2021.

County of Kings officials said they could not rule out unauthorized accessing of the data over those 10 months, although there are no indications that any of the exposed information has been or will be misused.

Notification letters started to be sent to the 16,590 individuals whose sensitive information had been exposed on January 21, 2022. The County believes that the limited nature of the exposed data means individuals are not at risk and do not need to take any further actions. The County said it is taking steps to ensure COVID-19 information is better protected in the future.

NYU Langone Health Notifies 1,123 Patient About Mismailing Incident

NYU Langone Health has started notifying 1,123 patients about a vendor mailing error. On or around November 12, 2021, NYU Langone notified patients about a planned relocation of one of its oncology surgeons, who was based in Lake Success, NY.

A third-party vendor was used to send the notification letters and reformatted the addresses which resulted in a misalignment of patient names and addresses on the envelopes. As a result, the letters were sent to incorrect addresses. The letters were addressed as “Dear Patient,” and did not include any protected health information.

NYU Langone has received assurances from its vendor that policies, procedures, and practices have been reviewed and updated to prevent similar misdirected mailings in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.