25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data Breaches Reported by Three Californian Healthcare Providers

Posted By on Sep 4, 2024

Data breaches have recently been reported by Californian healthcare providers Vasinda’s Around the Clock Care, Baker Places, Turning Point of Central California, and Watson Clinic in Florida.

Vasinda’s Around the Clock Care / ATC Home Care, California

Vasinda’s Around the Clock Care Inc., doing business as ATC Home Care in California, has notified 3,785 individuals about a computer intrusion detected on June 18, 2024. The forensic investigation revealed an unauthorized individual had access to its network for almost 5 months. Its network was first compromised on January 30, 2024, and access remained possible until June 18, 2024. During that time, files were copied from its systems that contained sensitive patient information.

The file review confirmed names had been compromised along with addresses, Social Security numbers, health insurance information, billing and claims information, and medical information such as diagnoses, lab results, medications, and other treatment information. The affected individuals were patients or clients of ATC or clients of the payee organization. In response to the security incident, policies and procedures have been reviewed and updated and new cybersecurity tools are being assessed to reduce the risk of similar incidents in the future. The affected individuals have been offered complimentary credit monitoring services for 12 months.

Baker Places, California

Baker Places, Inc., a San Franciso, CA, provider of mental health services, has discovered unauthorized access to an employee’s email account. Unauthorized access to the email account was detected on or around February 29, 2024, and a password reset was performed to prevent further access. The forensic investigation confirmed that the account had been accessed by an unauthorized third party between February 12, 2024, and February 29, 2024. During that time, information in the account may have been acquired.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The account review was completed on June 17, 2024, when it was confirmed that the protected health information of 971 individuals had been exposed. The exposed information varied from individual to individual and may have included names in combination with Social Security numbers, driver’s license numbers, financial account information, treatment/diagnosis information, prescription information, medical record/patient ID numbers, health insurance information, treatment cost information, and/or provider names.

Baker Places is unaware of any misuse of the exposed information and said the risk of misuse is believed to be low, although no explanation was provided as to how that determination was made. As a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Turning Point of Central California

Turning Point of Central California (TPOCC), a provider of mental health services, children’s services, housing programs, and addiction recovery services, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that has affected at least 500 individuals.  The 500 figure is often used as a placeholder when the number of affected individuals has yet to be determined and is the trigger number for inclusion on OCR’s data breach portal. TPOCC said the review of the affected files is ongoing and notifications will be issued when the file review is completed.

According to a notification letter sent to the California Attorney General, suspicious activity was identified within its computer network on May 31, 2024. Third-party cybersecurity experts were engaged to conduct a forensic investigation which confirmed on June 12, 2024, that there had been unauthorized access to its network and potential access to files containing names, addresses, and Social Security numbers.

TPOCC said it is conducting a review of system security and will put additional security controls in place to prevent similar incidents in the future. TPOCC is offering complimentary credit monitoring and identity theft restoration services to individuals whose Social Security numbers were involved.

Watson Clinic, Florida

Watson Clinic in Lakeland, FL, has started sending notification letters to individuals whose protected health information was compromised in a security breach on January 26, 2024. Watson Clinic explained that the intrusion was detected on February 6, 2024, and an investigation was launched to determine the nature and scope of the incident, with third-party cybersecurity professionals engaged to assist with the forensic investigation.

Watson Clinic had previously disclosed the incident on its website; however, it was not possible to provide full information at the time as the incident was still under investigation. The results of the file review were received from a data review company in July 2024, and since then, Watson Clinic has been verifying the results and obtaining up-to-date contact information to allow individual notifications to be mailed.

Watson Clinic identified unauthorized access to a file containing the data of one patient, and that individual was previously notified. While evidence of unauthorized access was not identified for the other patients, notification letters are now being sent. The files included names in combination with one or more of the following: address, birthdate, Social Security number or similar government identifier, driver’s license number, financial account information, and limited medical information, which may include diagnosis and treatment information and medical record number. Further investigation revealed medically necessary images had been stolen, some of which were posted on the dark web.

Steps have been taken to improve security to prevent similar incidents in the future. The affected individuals have been advised to monitor their account statements for unauthorized activity. The HHS’ Office for Civil Rights breach portal indicates 280,278 individuals were affected by the data breach.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist