Share this article on:
The Everett & Hurite Ophthalmic Association (EHOA), a team of ophthalmology specialists serving Pittsburgh, PA & Warrendale, PA, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially viewed patient information.
EHOA became aware of a breach on March 23, 2020 when suspicious activity was detected in the employee’s email account. After securing the account, third party forensic specialists were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, which was breached between February 25, 2020 and March 25, 2020.
A comprehensive review of emails and attachments in the account revealed they contained the protected health information of 34,113 patients. The majority of patients had their names included in an internal report that was used for reporting to the HHS’ Centers for Medicare and Medicaid Services (CMS). For certain individuals, their Social Security number, financial data, health insurance details, date of birth, and health and treatment information were also exposed. No evidence was uncovered to suggest patient information was viewed or downloaded by the person who accessed the account.
EHOA has notified all affected patients, has provided further training to its employees, and is enhancing its policies and procedures to prevent similar breaches in the future.
Castro Valley Health, Inc. Discovers PHI was Exposed on Docker Hub
Castro Valley Health, Inc. has discovered patient information was accidentally transferred to a third-party website, Docker Hub, and could potentially have been accessed by unauthorized individuals.
The transfer of patient data occurred between 2016 and 2017 and was discovered on April 21, 2020. Docker Hub is used for creating, managing, and delivering container applications and for image sharing between teams. Files were uploaded to the website that contained patient information such as names, dates of birth, medical record numbers, care start dates, admission visit dates, names of nurses who provided treatment, and physical/speech therapist names. No Social Security numbers, financial information, or clinical/diagnostic data were exposed.
Castro Valley Health said that while data could potentially have been accessed, the data was heavily coded and could not be read without first decoding the data. No evidence was found to suggest any patient data was viewed or downloaded by unauthorized individuals during the time it was exposed. The only person known to have accessed the data was the person who discovered the data and reported the breach to the HHS’ Office for Civil Rights.
Castro Valley Health has now notified all individuals whose data was exposed, and steps have been taken to prevent similar breaches in the future, including updating policies and procedures, conducting additional security audits and risk assessments, and re-educating employees.