HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Management and Network Services Notifies 30,132 Patients About PHI Breach

Management and Network Services (MNS), LLC, a Dublin, OH-based provider of administrative support services to post-acute healthcare providers, has discovered the email accounts of some of its employees have been compromised.

In a May 4, 2020 breach notification letter, MNS explained that it learned on or around August 21, 2019 that several employee email accounts had been subjected to unauthorized access between April and July of 2019. The analysis of the email accounts recently revealed five accounts contained the protected health information of patients of its clients.

The information in emails and email attachments varied from individual to individual and may have included the following data elements: name, medical treatment information, diagnosis information/codes, medication information, dates of service, insurance provider, health insurance number, date of birth, and Social Security number. A limited number of individuals also had their driver’s license number, State ID card number, and/or financial account information exposed.

MNS has taken steps to improve email security such as enhancing password policies across the entire organization and implementing multi-factor authentication for all employee email accounts.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The HHS’ Office for Civil Rights breach portal shows 30,132 patients had some of their PHI exposed.

Santa Rosa & Rohnert Park Oral Surgery Suffers Email Security Breach

Santa Rosa & Rohnert Park Oral Surgery on Portland, OR has discovered the email account of one of its employees was accessed by an unauthorized individual. The breach was detected on March 11, 2020 when suspicious activity was detected in the email account. The forensic investigation revealed the email account was breached on December 20, 2019 and access remained possible until March 11, 2020 when the account was secured. The compromised account was found to contain a range of protected health information which may have been viewed or acquired by the attacker.

Affected individuals have been offered complimentary membership to the MyIDCare credit monitoring and identity theft protection service from ID Experts. Santa Rosa & Rohnert Park Oral Surgery is reviewing and enhancing its policies and procedures and will take further steps to improve information security.

PHI of 3,683 Ashtabula County Medical Center Patients Exposed Online

Ashtabula County Medical Center (ACMC), an affiliate of Cleveland Clinic, is notifying 3,683 patients that some of their protected health information has been exposed online. On or around January 6, 2020, ACMC posted an Excel spreadsheet on a website to comply with government requirements about medical cost disclosures. On March 12, 2020, ACMC learned that a limited amount of protected health information had been accidentally included in the spreadsheet.

The exposed information was limited to patients’ names, diagnoses, and health and treatment histories. No Social Security numbers or financial data were exposed. Out of an abundance of caution, affected individuals have been offered a 12-month complimentary membership to identity theft recovery services through IDExperts.

ACMC has now updated its policies and procedures and has implemented additional safeguards to prevent similar breaches in the future.

Phishing Attack Exposed PHI at Orchard Medical Consulting

Orchard Medical Consulting, a provider of nurse case management services for workers’ compensation claims, has announced that an unauthorized individual gained access to the email account of one of its employees and potentially accessed protected health information stored in the account.

The attack was detected on January 30, 2020 and immediate action was taken to secure the account. The investigation revealed the account contained names, dates of birth, and for a very small number of individuals, Social Security number, and medical information such as diagnosis, treatment plan, and/or health history.

No evidence of data access, data theft, or misuse of PHI has been discovered. Affected individuals have been offered complimentary membership to TransUnion Interactive’s myTrueIdentity credit monitoring service out of an abundance of caution. To prevent further breaches, email security has been strengthened, policies and procedures updated, and multi-factor authentication has been implemented.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.