HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system.

The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised.

The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by mail.

Florida Internal Medicine Practice Suffers Ransomware Attack

Daniel Bendetowicz, MD, PA is notifying 3,314 patients that their protected health information has been exposed as a result of a ransomware attack. The attack occurred on March 25, 2020 resulting in the encryption of its computer systems, including patient records. Backup files were not affected so files could be recovered without paying the ransom.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In these types of ransomware attacks, files are not typically accessed by the attackers prior to file encryption; however, data access could not be ruled out so notification letters have been sent to affected patients. Dr. Bendetowicz explained in the breach notification letters that names, addresses, dates of birth, Social Security numbers, health insurance information, and medical information were potentially compromised.

Out of an abundance of caution, identity theft protection services have been offered to all affected patients. Steps have also been taken to improve security to prevent further attacks in the future.

Houston Methodist Hospital Notifies 2,000 Patients of PHI Theft

Houston Methodist Hospital is notifying 1,987 heart patients that some of their protected health information was stored on portable storage devices that were stolen from the vehicle of a vendor representative in mid-February.

The individual was employed by the medical device manufacturer and operated the 3D imaging technology in the hospital’s cardiac catheterization lab.

The hard drives were left in a vehicle from where they were stolen. The hospital reports that the room where the hard drives were stored was locked, and removal of the devices was against hospital protocol and violated established technical safeguards and contractual obligations. The representative believed the room was only locked due to the late hour of the day.

The hard drives contained medical images that included a patient’s name, gender, date of birth, and a code number. The images could only be viewed with specialist software. The clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be located.

Email Error Leads to Breach at Ascension Eastwood Clinic

An employee of Ascension Eastwood Clinic in Southfield, MI sent an email to patients on April 15, 2020 explaining the practice was transitioning to telehealth services due to COVID-19 to help prevent the spread of the disease.

An error was made sending the email and patients’ email addresses were not added to the BCC field of the email and could therefore be viewed by other patients. As a result of the error, email addresses and, in some cases, patients’ full names were disclosed to other patients. Apart from allowing a patient to be identified as a patient of the clinic, no other information was exposed.

The HHS’ Office for Civil Rights breach portal shows 999 patients were affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.