Data Breaches Reported by VEP Healthcare and the American College of Emergency Physicians

The American College of Emergency Physicians (ACEP) has started alerting certain members that some of their personal information was stored on a server that was accessed by unauthorized individuals.

In addition to providing professional organizational services to its members, management services are provided by ACEP to organizations such as the Emergency Medicine Foundation (EMF), Society for Emergency Medicine Physician Assistants (SEMPA), and the Emergency Medicine Residents’ Association (EMRA). The breach concerns data related to those organizations. Affected individuals had made a purchase from or donated to EMF, SEMPA, or EMRA.

A breach was detected on September 7, 2020 when unusual activity was identified in its systems. A server had been compromised that contained the login details for its SQL database servers, and those databases contained members’ information. While no evidence was found to indicate the credentials were used to access the databases, it was not possible to rule out unauthorized access. The information exposed was for the dates April 8, 2020 to September 21, 2020.

The exposed data varied from individual to individual. In addition to names, sensitive information such as Social Security numbers and financial information may have also been compromised.

The impacted server has been rebuilt, passwords changed, and additional technical safeguards have now been implemented.  12 months of credit monitoring services have been offered to affected individuals.

VEP Healthcare Discovers Multiple Email Accounts Were Accessed by Unauthorized Individuals

Portland, OR-based VEP Healthcare has discovered multiple employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails and disclosed their login credentials. The email security incident was detected on March 11, 2021 and the investigation confirmed the affected email accounts had been subjected to unauthorized access between November 15, 2019 and January 20, 2020. It is unclear exactly what information was contained in the compromised accounts.

While the email accounts were accessed, no evidence was found to indicate any protected health information in those accounts was viewed or obtained. However, out of an abundance of caution, affected individuals have been offered a free 12-month membership to the IDX identify theft protection service which includes a $1 million identity theft insurance policy.

VEP healthcare has since improved email security, implemented 2-factor authentication on email accounts, has modified its policies and procedures, and provided additional security awareness training to the workforce.

Epilepsy Florida Impacted by Blackbaud Data Breach

Epilepsy Florida has recently confirmed that it has been affected the data breach at Blackbaud Inc., its cloud computing vendor. The breach occurred in May 2020 and notifications were sent to affected clients in July 2020.

In a March 30, 2021 substitute breach notice, Epilepsy Florida explained that it launched an investigation into the breach to determine what information had been compromised and, after demanding further information from Blackbaud, determined the breach was limited to the full names of 1,832 individuals. No other information appears to have been compromised.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.