25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners

Posted By on May 8, 2020

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system.

The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised.

The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by mail.

Florida Internal Medicine Practice Suffers Ransomware Attack

Daniel Bendetowicz, MD, PA is notifying 3,314 patients that their protected health information has been exposed as a result of a ransomware attack. The attack occurred on March 25, 2020 resulting in the encryption of its computer systems, including patient records. Backup files were not affected so files could be recovered without paying the ransom.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In these types of ransomware attacks, files are not typically accessed by the attackers prior to file encryption; however, data access could not be ruled out so notification letters have been sent to affected patients. Dr. Bendetowicz explained in the breach notification letters that names, addresses, dates of birth, Social Security numbers, health insurance information, and medical information were potentially compromised.

Out of an abundance of caution, identity theft protection services have been offered to all affected patients. Steps have also been taken to improve security to prevent further attacks in the future.

Houston Methodist Hospital Notifies 2,000 Patients of PHI Theft

Houston Methodist Hospital is notifying 1,987 heart patients that some of their protected health information was stored on portable storage devices that were stolen from the vehicle of a vendor representative in mid-February.

The individual was employed by the medical device manufacturer and operated the 3D imaging technology in the hospital’s cardiac catheterization lab.

The hard drives were left in a vehicle from where they were stolen. The hospital reports that the room where the hard drives were stored was locked, and removal of the devices was against hospital protocol and violated established technical safeguards and contractual obligations. The representative believed the room was only locked due to the late hour of the day.

The hard drives contained medical images that included a patient’s name, gender, date of birth, and a code number. The images could only be viewed with specialist software. The clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be located.

Email Error Leads to Breach at Ascension Eastwood Clinic

An employee of Ascension Eastwood Clinic in Southfield, MI sent an email to patients on April 15, 2020 explaining the practice was transitioning to telehealth services due to COVID-19 to help prevent the spread of the disease.

An error was made sending the email and patients’ email addresses were not added to the BCC field of the email and could therefore be viewed by other patients. As a result of the error, email addresses and, in some cases, patients’ full names were disclosed to other patients. Apart from allowing a patient to be identified as a patient of the clinic, no other information was exposed.

The HHS’ Office for Civil Rights breach portal shows 999 patients were affected.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Prevent HIPAA Email Violations

Avoid the common misunderstandings and implementation errors relating to HIPAA email.

Learn more