Share this article on:
District Medical Group (DMG), an integrated medical group serving patients in Arizona, has started notifying 10,190 patients that some of their protected health information has potentially been compromised. On March 11, 2020, DMG discovered an unauthorized individual had gained access to the email accounts of some of its employees as a result of responses to phishing emails.
A password reset was immediately performed to prevent further unauthorized access and a leading cybersecurity firm was engaged to investigate the breach. The investigation revealed a limited number of email accounts were compromised between February 4, 2020 and February 10, 2020.
An analysis of emails and attachments in the breached accounts revealed they contained patient information such as names, medical record numbers, medical information, and health insurance information. A limited number of Social Security numbers were also potentially compromised. No evidence was uncovered that suggested the emails were opened or copied by the attackers.
Affected patients have been advised to be vigilant and monitor their accounts and statements for any sign of fraudulent activity. Out of an abundance of caution, individuals whose Social Security numbers were present in the accounts have been offered complimentary credit monitoring and identity theft protection services.
DMG has reinforced employee education and has taken steps to improve email security to prevent further breaches in the future.
Geisinger Wyoming Valley Medical Center Employee Terminated for Unauthorized Medical Record Access
Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA has discovered an employee has been accessing the medical records of patients with no legitimate work reason for doing so.
GWVMC was alerted to the potential HIPAA breach on March 20, 2020 and launched an internal investigation. The employee was authorized to view patient records to complete day-to-day work duties, but it was discovered the medical records of 805 patients had been accessed outside of those work duties. The unauthorized access started in July 2017 and continued until March 2020.
The investigation did not uncover any evidence to suggest patient records were being accessed with malicious intent. Out of an abundance of caution, affected patients have been offered complimentary credit monitoring and identity theft protection services.
The types of information viewed by the employee included names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, medical conditions, diagnoses, medications, dates of service, visit notes, test results, and appointment information.
Appropriate disciplinary action was taken against the employee for the violation of HIPAA and hospital policies. The employee no longer works at GWVMC.