Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.