Las Palmas Del Sol Healthcare Discovers 2-Year Insider Data Breach
Cyberattacks have been announced by VisionPoint Eye Center in Illinois and Vickers Engineering in Michigan. Las Palmas Del Sol Healthcare has discovered a former employee has accessed patient records without authorization and may have disclosed patient information to other unauthorized individuals.
El Paso Healthcare System (Las Palmas Del Sol Healthcare)
El Paso Healthcare System, Ltd. d/b/a Las Palmas Del Sol Healthcare, has recently notified 1,854 patients about an insider data breach detected on February 23, 2024. A former employee was discovered to have accessed patients’ medical records without authorization and may have disclosed patient information to other unauthorized individuals.
When unauthorized medical record access was detected, a review was conducted to determine the extent of the HIPAA breach. The employee was found to have accessed patient records without authorization between January 1, 2018, and March 12, 2021. The review of the records confirmed that the following information was viewed and potentially copied: name, address, date of birth, health plan information, hospital account number, and certain medical information contained in the patient record, such as the reason for a visit and diagnosis information. Driver’s license numbers, Social Security numbers, credit card information, and bank account information were not accessed or disclosed.
It is unclear why the employee accessed the records or why the unauthorized access stopped in 2021 when the employee continued to work at Las Palmas Del Sol Healthcare. After investigating the HIPAA breach, the employee was terminated, the employee’s login credentials were revoked, and law enforcement was notified. Due to the law enforcement investigation, Las Palmas Del Sol Healthcare was prevented from notifying individuals about the data breach until December. To prevent and reduce the severity of future incidents, Las Palmas Del Sol Healthcare will be performing systematic audits or monitoring activities of employee access to patient records and will be reinforcing employee HIPAA training.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
VisionPoint Eye Center
VisionPoint Eye Center in Illinois experienced a security breach on October 3, 2024, involving unauthorized access to its network. Third-party digital forensics experts were engaged to investigate the incident to determine the extent of the unauthorized activity.
The unauthorized third party accessed parts of the network that contained patient data and information may have been copied. The file review was completed on October 29, 2024, and confirmed that the following data had been exposed: first name, last name, medical record number, health insurance information, and medical information. The types of data involved varied from individual to individual. VisionPoint Eye Center confirmed that Social Security numbers and financial information were not involved, and its electronic medical record system had not been accessed, so full patient histories were not impacted. Technical safeguards have now been enhanced to prevent similar incidents in the future.
While Social Security numbers were not involved, VisionPoint Eye Center has arranged for complimentary credit monitoring services and identity theft protection services to be provided to all 66,926 affected patients as a precaution.
Vickers Engineering
Vickers Engineering, Inc., a precision engineering company in New Troy, MI, has experienced a data breach that affected 857 members of its health plan. The cybersecurity incident was detected on or around August 15, 2024, when network connectivity was affected. Third-party cybersecurity professionals were engaged to investigate the incident and confirmed unauthorized access to the network. The internal review concluded on November 6, 2024, that files containing the protected health information of health plan numbers had been exposed and potentially acquired.
The data elements involved varied from individual to individual and may have included some or all of the following: name, address, date of birth, Social Security number, driver’s license or state ID, account number, routing number, medical record number, mental or physical condition, medical diagnosis code, medical diagnosis, treatment location, procedure type, provider name, medical date of service, admission date, prescription information, billing/claim information, health insurance policy number, health insurance group number, health insurance claim number, and/or subscriber member number.
No evidence of data misuse had been identified at the time notification letters were issued. As a precaution, individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring services.
