Multiple Email Accounts Compromised at Covenant Care California and Bergen’s Promise

Aliso Viejo-based Covenant Care California, an operator of skilled nursing facilities and a provider of home health services in California and Nevada, has announced that an unauthorized third party has gained access to its email system, and potentially viewed or obtained electronic protected health information. Suspicious activity was detected in an employee’s email account in February 2022, with the subsequent investigation confirming multiple employee email accounts had been accessed between February 24 and March 22, 2022. The accounts contained data related to its home health services, which were provided under the following names:

  • Focus Health
  • RehabFocus Home Health
  • Elevate Health Group
  • Choice Home Health
  • San Diego Home Health

A review of the accounts was completed on March 27, 2022, and confirmed protected health information was present in the email accounts, which for most individuals included names, medical information, and health insurance information. A subset of individuals also had their date of birth, Social Security number, driver’s license number, and/or other personal information exposed. Covenant Care said safeguards are being reviewed and will be updated to improve security, which includes providing further training to employees on email security. Affected individuals have been offered complimentary identity monitoring services.

It is currently unclear how many individuals have been affected. This post will be updated when that information is publicly released.

Bergen’s Promise Email Account Accessed by Unauthorized Individual

Bergen’s Promise, the designated Care Management Organization for Bergen County in New Jersey, has recently announced that part of its email system has been compromised. Suspicious activity was detected in an employee’s email account, with the forensic investigation determining six email accounts had been compromised between November 15 and November 18, 2021. The suspicious activity was detected on November 15.

Please see the HIPAA Journal Privacy Policy

Bergen’s Promise said security protocols have been enhanced in response to the incident. Credit monitoring and identity theft protection services have been offered to affected individuals. It is unclear why it took 7 months from the date of discovery of the breach to issue notification letters.

The breach was reported to the HHS’ Office for Civil Rights as affecting 6,948 individuals.

Grandview Medical Center Notified About Theft of ER Activity Logs

Grandview Medical Center in Birmingham, AL, has started notifying 1,126 individuals that activity logs from its emergency department that contained protected health information have been stolen and recovered by law enforcement.

Grandview Medical Center was contacted by law enforcement on April 12, 2022, and was informed that the logs had been found in a residential apartment on April 4, 2022. The logs contained records of patient visits between February 1 and February 12, 2022, and included information such as name, date of birth, medical record number, account number, and treatment information including reason for visit, diagnosis, acuity, date/time of service, arrival mode and discharge disposition.

Grandview Medical Center said the law enforcement investigation is ongoing. At this stage, it is unclear what the person who stole the logs did with the data, but it is possible that the logs have been exposed to other individuals. As a precaution, credit monitoring services have been offered to affected individuals.

The medical center said it provides regular privacy and confidentiality training to employees and emphasizes the importance of protecting patient information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.