Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health

Manchester Ophthalmology in Connecticut has experienced a cyberattack in which the attackers may have gained access to patient information.  The eye care provider became aware of the cyberattack on November 25, 2019 when employees noticed unusual activity on the network. Assisted by a third-party technology firm, it was determined later that day that hackers had gained access to its systems and attempted to deploy ransomware. Access was first gained to the network on November 22, 2019 and continued until November 25.

The investigation found no evidence to suggest any patient information was accessed or downloaded by the attackers, but during the investigation it was determined that certain patient information had not been backed up and could not be recovered. The types of data lost included names, patient-created medical histories, and details of the care those patients received at Manchester Ophthalmology.

Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any sign of fraudulent use of their information. Manchester Ophthalmology has provided further training to employees to ensure the proper backup of all information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 6,846 patients were affected by the security breach.

UnitedHealthcare Alerts Patients About 2019 Data Breach

On January 31, 2020, the Minnetonka, MN health insurer, UnitedHealthcare, announced it was the victim of a data breach in 2019 in which the private information of some of its customers in South Carolina was potentially compromised.

UnitedHealthcare was notified about the data breach on December 10, 2019 and determined that between July 30, 2019 and Nov 13, 2019 an unauthorized individual gained access to the health information of certain members through its member portal. Only members’ first and last names, health plan information, and medical claims data was compromised.

UnitedHealthcare said it is assisting with the law enforcement investigation and steps have been taken to prevent further breaches of this nature in the future. The HHS’ Office for Civil Rights Breach portal indicates 934 individuals were affected by the breach.

2,713 Individuals Informed of Cook County Health Mailing Error

Chicago, IL-based Cook County Health has started notifying 2,713 individuals that some of their protected health information was sent to a third-party vendor in error. The information related to individuals participating in a #keepingitLITE study and was sent to a vendor who was due to assist with mailing study information.

The list of study participants, which was limited to names, addresses, and email addresses, was sent before a business associate agreement was in place. A business associate agreement confirms that a vendor agrees to implement safeguards to ensure the privacy and security of any information. Without the BAA, satisfactory assurances that those safeguards were in place had not been received by Cook County Health.

Action has now been taken to ensure similar errors are prevented in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.