HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Impostor, Burglar, and Hackers Obtain PHI of Patients

A round up of healthcare data security incidents reported in the past few days that have resulted in the protected health information of patients being obtained by unauthorized individuals.

Blue Cross Blue Shield of Illinois Discovers PHI was Provided to an Imposter

Blue Cross Blue Shield of Illinois has discovered the protected health information of some plan members has been disclosed to a doctor who was impersonating another physician. The doctor was employed by its business associate Dane Street and conducted peer to peer reviews for the firm – Further reviews when requests for services have been denied by an insurance company.

Dane Street was notified by law enforcement on April 9, 2018 that the doctor had been fraudulently impersonating another physician in order to perform peer to peer reviews. Those reviews required the doctor to view information such as names, addresses, dates of birth, phone numbers, medical service information, and Social Security numbers.

Since Social Security numbers were disclosed, affected patients have been offered complimentary credit monitoring services for one year. Dane Street no longer employs the doctor the matter is in the hands of law enforcement.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Dane Street has implemented additional credentialing procedures to prevent incidents of this nature from occurring in the future.

Around 3,000 Patients of Quality Care Pharmacy Notified of PHI Exposure

Approximately 3,000 patients of Quality Care Pharmacy in San Marcos, CA have been notified that some of their protected health information has been obtained by thieves.

Professional thieves targeted the pharmacy, located in a San Marcos strip mall, and stole hundreds of thousands of dollars of medications and a computer containing unencrypted protected health information. According to a 10News report, the thieves also drilled the safe and stole its contents and managed to circumvent all security measures put in place by the pharmacy.

Security protections had been improved following two previous burglaries at the pharmacy, although they proved insufficient to prevent the break-in.

Patients impacted by the breach have now been notified by mail, although it allegedly took nine weeks for some patients to receive their notification letters.

Hacker Gain Access to Elmcroft Senior Living Inc., Servers

A hacker has gained access to servers used by Elmcroft Senior Living Inc., and potentially viewed and copied the protected health information of patients and current and former residents. The breach occurred on May 10, 2018 and was detected two days later on May 12.

The types of information potentially accessed includes residents’ names, names of family members, birth dates, addresses, demographic information, and Social Security numbers. The PHI of former residents and patients of its healthcare facilities were also potentially accessed. All individuals affected by the breach have been notified and offered credit and identity theft monitoring services.

Care Partners Hospice and Palliative Care Reports Email Breach

The PHI of 600 patients of Care Partners Hospice and Palliative Care has potentially been accessed by an unauthorized individual who gained access to the email account of one of its employees.  The breach was detected on April 11, 2018 prompting a full investigation. A third-party cybersecurity expert was called in to assist with the investigation and determine how access to the email account was gained and which patients were potentially affected.

Data theft was not confirmed, although could not be ruled out with a high degree of certainty. The breach was limited to the email account and no other systems were compromised. No reports have been received to suggest any information in the email account has been misused.

The incident has prompted Care Partners Hospice and Palliative Care to augment its email security protections and improve system and network security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.