Misconfigured Staff Calendars Exposed Information of Children’s Minnesota Patients for Up to 8 Years

Share this article on:

Children’s Minnesota has started notifying 37,942 patients that information related to their appointments has been exposed and could have been accessed by unauthorized individuals.

The internal, electronic calendars used by certain staff members had been configured in a way that allowed them to be viewed by individuals outside of Children’s Minnesota’s system. The misconfiguration was detected on August 26, 2019 and was immediately corrected to prevent unauthorized access.

A third-party computer forensics company was engaged to assist with the investigation and determine the extent of the privacy breach. The firm confirmed that in some cases, the calendars may have been misconfigured for several years, with the earliest case determined to be December 2011.

The calendars contained a limited amount of patient information, such as patient names, medical record numbers, dates of birth, insurance information, account numbers, appointment times and locations, names of procedures, and healthcare provider names.

It was not possible to determine whether the calendars had been accessed by unauthorized individuals during the time they were accessible. Affected individuals have been advised to monitor their account statements and explanation of benefits statements for any sign of fraudulent use of their information.

Children’s Minnesota will be reviewing its security policies and will provide additional training to staff to prevent similar incidents of this nature from occurring in the future.

PHI of 15,975 Individuals Exposed Due to Central Valley Regional Center Phishing Attack

Central Valley Regional Center (CVRC), a Merced, CA-based provider of health and support services to individuals with intellectual and developmental disabilities, has discovered an unauthorized individual has gained access to the email accounts of certain employees and potentially viewed or obtained sensitive client information.

The email security breach was discovered on July 29, 2019. The affected email account was immediately disabled, and an investigation was launched to determine the extent of the breach. Assisted by a third-party computer forensics firm, CVRC determined that multiple email accounts had been compromised between July 25 and August 2, 2019. Those email accounts contained information on 15,975 clients.

No evidence of data access or PHI theft was discovered, and no reports have been received to indicate any client information has been misused. However, it was also not possible to rule out unauthorized data access or data exfiltration. As a precaution, affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services.

The types of information that may have been viewed varied from individual to individual and could have involved the following data elements:  Names, addresses, telephone numbers, dates of birth, death dates, Social Security numbers, driver’s license information, state ID card numbers, other government ID numbers, Medi-Cal numbers, UCI numbers, health insurance information, and medical and health information.

A limited number of individuals also had their taxpayer ID number, financial account/payment card information, PINs/ access codes, account password, username, email address, or electronic identifier (and the means to access the related accounts), and/or IRS PIN exposed.

Steps have now been taken to improve security and prevent similar breaches from occurring in the future.

Author: HIPAA Journal

Share This Post On