HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients

The Everett & Hurite Ophthalmic Association (EHOA), a team of ophthalmology specialists serving Pittsburgh, PA & Warrendale, PA, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially viewed patient information.

EHOA became aware of a breach on March 23, 2020 when suspicious activity was detected in the employee’s email account. After securing the account, third party forensic specialists were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, which was breached between February 25, 2020 and March 25, 2020.

A comprehensive review of emails and attachments in the account revealed they contained the protected health information of 34,113 patients. The majority of patients had their names included in an internal report that was used for reporting to the HHS’ Centers for Medicare and Medicaid Services (CMS). For certain individuals, their Social Security number, financial data, health insurance details, date of birth, and health and treatment information were also exposed. No evidence was uncovered to suggest patient information was viewed or downloaded by the person who accessed the account.

EHOA has notified all affected patients, has provided further training to its employees, and is enhancing its policies and procedures to prevent similar breaches in the future.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Castro Valley Health, Inc. Discovers PHI was Exposed on Docker Hub

Castro Valley Health, Inc. has discovered patient information was accidentally transferred to a third-party website, Docker Hub, and could potentially have been accessed by unauthorized individuals.

The transfer of patient data occurred between 2016 and 2017 and was discovered on April 21, 2020. Docker Hub is used for creating, managing, and delivering container applications and for image sharing between teams. Files were uploaded to the website that contained patient information such as names, dates of birth, medical record numbers, care start dates, admission visit dates, names of nurses who provided treatment, and physical/speech therapist names. No Social Security numbers, financial information, or clinical/diagnostic data were exposed.

Castro Valley Health said that while data could potentially have been accessed, the data was heavily coded and could not be read without first decoding the data. No evidence was found to suggest any patient data was viewed or downloaded by unauthorized individuals during the time it was exposed. The only person known to have accessed the data was the person who discovered the data and reported the breach to the HHS’ Office for Civil Rights.

Castro Valley Health has now notified all individuals whose data was exposed, and steps have been taken to prevent similar breaches in the future, including updating policies and procedures, conducting additional security audits and risk assessments, and re-educating employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.