Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital

The Cincinnati-based health system TriHealth is alerting 2,433 patients about an impermissible disclosure of their protected health information (PHI) to a student mentee.

The student was acting under the direct supervision of a former TriHealth physician and accessed patient information for a potential research project. On June 8 and June 9, 2018, the student was provided with patient information including first and last names, dates of birth, ethnicity, life status, cancer diagnosis information, and zip codes.

TriHealth does not believe that there were any further uses or disclosures of patient information nor that any patient information has been misused. PHI was accessed solely in relation to the potential research project.

Since the student was not an approved TriHealth workforce member, access to patient information was prohibited. As such, this was an impermissible disclosure of patient information which warranted breach notifications to be issued to affected patients. Those notification letters have now been sent.

In its website breach notice, TriHealth said all employees are educated on the hospital’s privacy policies when they are hired and are required to undergo annual re-training. In the event of a violation of hospital policy, corrective action is taken which can include discharge from employment. That process was followed in this case.

Centura Health Email Compromise Impacts 7,515 Patients

The Centennial, CO-based health system Centura Health is alerting 7,515 patients about an email security incident that exposed some of their PHI.

Centura Health discovered the breach on April 16, 2019 and promptly secured the affected email account. A forensic investigation confirmed that the account had been accessed by an unauthorized individual who may have viewed or obtained patient information contained in emails and email attachments. No evidence was uncovered to suggest PHI has been accessed, stolen, or misused, but patients are being notified as a precaution. Letters started to be sent on May 22, 2019.

Patients affected by the breach had some or all of the following information exposed: Name, date of birth, demographic information, medical record number, account number, dates of service, treating physician, services received, medical device supplied, and other clinical information. No health insurance information, financial data, or Social Security numbers were exposed.

Centura Health has taken steps to reduce the risk of further email security breaches, including re-educating the workforce on email security, establishing and using strong passwords, and strengthening email security protections.

Phishing Attack Reported by Columbus Community Hospital

Columbus Community Hospital in Columbus, WI, is alerting certain patients that some of their PHI has been exposed as a result of a phishing attack on one of its business associates.

On April 8, 2019, the claims management service provider OS, Inc., notified Columbus Community Hospital that an unauthorized individual had gained access to the email account of one of its employees and may have viewed patient information.

The information in the compromised account includes names, hospital account numbers, insurer names, summaries of charges, and categories of service. A limited number of patients also had their insurance ID number and/or Social Security number exposed. No evidence of data access, theft, or misuse has been identified to date.

OS Inc., provides claims management services to several hospitals. It is currently unclear whether the breach was limited to Columbus Community Hospital or if patients of other hospitals have also been affected.

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is not yet known how many individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.