HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Malware Infection Discovered by JEV Plastic Surgery & Medical Aesthetics

Owing Mills, MD-based JEV Plastic Surgery & Medical Aesthetics has started notifying 1,620 patients about a security breach that has exposed some of their protected health information.

Malware was detected which allowed an unauthorized individual to access systems that contained protected health information.

A third-party forensic investigation determined the malware had been installed on April 30, 2021, and allowed its systems to be accessed until June 14, 2021. A comprehensive review of files on the affected systems was conducted to determine whether any patient information had been viewed or acquired. On September 8, 2021, JEV Plastic Surgery confirmed files on the compromised systems contained protected health information such as names, dates of birth, consultation notes, medical histories, and surgical operative notes. JEV Plastic Surgery says it is unaware of any actual or attempted misuse of personal data.

JEV Plastic Surgery is reviewing its policies and procedures and will update them as necessary to improve data security. New internal training protocols have also been implemented to mitigate any risk associated with this event and to better protect against future security breaches.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Bryan Health Discovers Insider Breach Involving PHI of 2,753 Patients

Lincoln, NE-based Bryan Health has discovered an insider breach involving the protected health information of 2,753 patients. In August 2021, an employee was discovered to have accessed the health records of patients when there was no legitimate work-related reason for doing so.

The types of information accessed included names, personal information, and information stored in medical records; however, the access rights of that individual did not permit Social Security numbers or financial information to be viewed.

The unauthorized access occurred in September 2020, but it was not discovered until August 2021. All affected individuals have been notified about the breach by mail and Bryan Health has confirmed that the employee no longer works at Bryan Health

Billing Information of 946 UNC Health Patients Exposed

Chapel Hill, NC-based UNC Health has discovered the billing information of 946 patients may have been viewed by unauthorized individuals.

An internal review of billing fields in its electronic health records was conducted on September 9, 2021. One of the fields in the EHR identifies individuals authorized to view patient billing information, and any individual listed in that field is able to access patients’ billing information. The individuals listed in those fields are usually relatives of a patient or other individuals who have been authorized to access their billing information.

The review identified 946 patients who had an individual included in that field that the health system was unable to confirm was authorized to access billing information. Consequently, it is possible that information such as names, addresses, charges for services, and medical-related information may have been accessed by unauthorized individuals.

No Social Security numbers, financial information, or credit card information was exposed and the affected patients are not believed to be at financial risk. UNC Health said it has cleared and reset the field in its EHR, which will prevent authorized individuals from accessing billing information. Notification letters have been sent to patients along with instructions for re-establishing access to their billing information for named individuals.

Policies have also been changed to limit the number of employees who are authorized to update the field and employees who are permitted to access the field have been retrained. Additional safeguards have also been implemented to prevent similar issues in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.