HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by Lakeshore Bone & Joint Institute and Putnam County Memorial Hospital

Lakeshore Bone & Joint Institute, an orthopedic practice in Indiana, has experienced a breach of its Microsoft Office 365 environment, which included emails and attachments that contained the protected health information of certain patients.

Unusual activity was detected in an employee email account on July 7, 2021. Steps were immediately taken to prevent further unauthorized access and a cybersecurity and digital forensic firm was retained to investigate the breach and assist with remediation efforts.

The breach investigation confirmed that an unauthorized individual had gained access to a single employee email account. A review of the account was completed on October 21, 2021, and revealed the following types of patient information may have been viewed or acquired in the attack:

Date of birth, treatment information, diagnosis, provider name, MRN/patient ID, health insurance information, treatment cost information, and, for certain individuals, Social Security numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals whose Social Security numbers were potentially compromised have been offered a 12-month membership to identity theft monitoring services at no cost.

The breach report submitted to the Maine attorney general indicates 23,627 individuals have potentially been affected by the breach.

PHI Potentially Compromised in Putnam County Memorial Hospital Ransomware Attack

Putnam County Memorial Hospital in Unionville, MO, has started notifying 6,916 individuals about a July 2021 cyberattack in which protected health information was potentially compromised.

The attack was detected on July 18, 2021, when the staff was prevented from accessing ceratin computer systems and files. A forensic investigation confirmed an unauthorized individual had gained access to its network at some point between July 16 and July 18, deployed a variety of network reconnaissance tools to identify systems and data of interest, then used ransomware to encrypt files.

The forensic investigation confirmed the parts of the network accessed by the attacker included patient and employee data including names, addresses, Social Security numbers, physician-patient assessments and records, patient authorizations, and lab and radiology reports. Financial information is not believed to have been compromised.

Following the breach, new security measures were implemented to better protect patient data. Complimentary credit monitoring services have been offered to affected individuals for 12 months at no cost. Those services include darknet and clearnet monitoring, quick cash scan, fraud consultation and identity theft restoration services, and identity theft insurance.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.