Almost 39,000 Patients Affected by Email Breach at Oklahoma Spine Hospital
Unauthorized email account access has been detected by Oklahoma Spine Hospital, Familylinks, and the Massachusetts Department of Developmental Services and an emailing error by a Missouri Department of Mental Health employee resulted in the impermissible disclosure of patient data.
Oklahoma Spine Hospital
Oklahoma Spine Hospital in Oklahoma City has warned 38,945 patients about the exposure of some of their protected health information. Suspicious activity was identified in an employee’s email account on or around July 1, 2024. Immediate action was taken to secure its email tenant, and an investigation was launched to determine the nature and scope of the breach.
The forensic investigation confirmed on September 24, 2024, that patients’ protected health information was stored in the compromised accounts including first and last names, dates of birth, financial account numbers and routing numbers, health insurance information, medical information, payment card information, and driver’s license information. At the time of issuing notifications, Oklahoma Spine Hospital was unaware of any misuse of the affected information.
As a precaution, the affected individuals have been offered complimentary credit monitoring services. Oklahoma Spine Hospital said data security policies and procedures are being reviewed and additional security measures have been implemented to prevent further email account breaches.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Massachusetts Department of Developmental Services
The Massachusetts Department of Developmental Services (DDS), a state agency that provides support to individuals with intellectual and developmental disabilities, has learned that there has been unauthorized access to a small number of DDS employee email accounts. DDS was notified about a phishing campaign targeting state employees on July 30, 2024, by the state security team.
The investigation confirmed on September 10, 2024, that the protected health information of 3,800 state residents was stored in the compromised accounts. The exposed information included names, addresses, dates of birth, phone numbers, email addresses, healthcare provider names, diagnoses, medications, treatment information, Social Security numbers, driver’s license numbers/state ID numbers, claims numbers, account numbers, payment card information, and financial and banking information. DDS said it is unaware of any misuse of data stored in the accounts but has advised the affected individuals to exercise caution and be vigilant against identity theft and fraud.
Familylinks Inc.
Familylinks Inc., a provider of integrated community, behavioral, and social programs in Western Pennsylvania, has notified 3,775 individuals that some of their protected health information has been exposed. On May 3, 2024, suspicious activity was identified in an employee’s email account. The forensic investigation confirmed the unauthorized access occurred on May 3, 2024, and was limited to a single email account. While the breach was detected rapidly, it is possible that sensitive information in the account and attached files may have been viewed or acquired.
The account review confirmed that the following types of protected health information were stored in the account: names, driver’s license or state ID numbers, federal ID numbers, dates of birth, Social Security numbers, medical information (including diagnosis and treatment information), and/or health insurance information, including policy numbers. Familylinks is unaware of any misuse of the affected data. Notifications were mailed to the affected individuals on October 3, 2024, and steps have been taken to enhance email security to prevent similar incidents in the future.
Missouri Department of Mental Health
An error by an employee of the Missouri Department of Mental Health resulted in the accidental disclosure of the protected health information of 537 individuals to 12 email recipients who were not authorized to view that information. An employee sent an email on November 1, 2024, with an attachment that contained names, housing provider referral information, birthdates, department client numbers, and Social Security numbers. The 12 email recipients work at state agencies or consumer partner organizations. The error was discovered on November 5, 2024, and immediate action was taken to prevent further disclosure of the information. The Missouri Department of Mental Health said it has no reason to believe that there have been any further disclosures of the list or that the information in the list has been misused.
