Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet

Employees of Turlock Irrigation District in California who are members of their employer-sponsored health plan are being notified that some of their protected health information has been exposed online as a result of an error at a business associate.

Delta Health Systems (DHS) provides administrative services related to the health plan and requires access to certain protected health information. Some of that information was made accessible over the internet through a link to a DHS webpage.

The error was made by third-party website developer. While the website had been configured to restrict access, there was a conflicting setting which provided general access to the document which took precedence.

Affected plan members have been told that their billing statement for their employee-sponsored health plan could have been accessed by unauthorized individuals during the time it was accessible over the internet. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number.

All affected members have been offered one year of free membership to credit monitoring and identity theft protection services through Experian.

The issue was identified and corrected on April 18, 2019. It was not possible to determine when the error was introduced and for how long plan members’ personal information was exposed. It was not possible to determine whether any unauthorized individuals accessed the billing statements while they were unprotected.

In addition to correcting the problem, DHS has contacted search engines to request the removal of all cached content. DHS is also revising its security policies and procedures and has built a new, more secure website that lacks the software that was misconfigured.

The incident has been reported to the California Attorney General but has not yet been listed on the HHS’ Office for Civil Rights website, so it is currently unclear how many plan members have been affected.

Ellwood City Medical Center Investigating Cyberattack

Officials at Ellwood City Medical Center, in Ellwood City, PA, are currently investigating a cyberattack that compromised part of its systems. The attack appears to have started on or around Saturday May 27, although at this stage, no further information has been released. Analyses are ongoing to determine whether any patient records have been compromised.

The cyberattack comes at a time when the Americore Health-owned medical center is embroiled in problems associated with billing and payroll and is being investigated over late payments of wages to staff.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.