HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NorthWest Congenital Heart Care Reports Theft of Device Containing PHI of 1,166 Patients

Washington-based NorthWest Congenital Heart Care is alerting 1,166 patients that some of their protected health information has been acquired by an unauthorized individual. On May 7, 2021, an unauthorized third party entered the office of a single NWCHC physician and stole an external hard drive that was used for data backups. The theft was reported to law enforcement, but the hard drive has not been recovered.

A review of the data backups revealed they contained patient information such as names, dates of birth, ages, medical and treatment information, dates of service, location of service, physician names, services requested, procedures performed, diagnosis codes, diagnosis and treatment descriptions, medical record numbers and, for one individual, health insurance information.

To reduce the risk of future data breaches, NorthWest Congenital Heart Care will be eliminating the use of external hard drives for data backups.

Superior HealthPlan Members Affected by Accellion Data Breach

2,781 members of Superior HealthPlan in Texas have been notified that some of their protected health information was compromised in the cyberattack on Accellion. The attack affected the Accellion file transfer appliance, which was used for sending files too large to be sent via email.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The attackers had access to the platform between January 7 and January 20, 2021. On April 2, 2021, Superior HealthPlan discovered the attackers were able to access and download files containing names, addresses, dates of birth, insurance ID numbers, and health information such as medical condition and treatment information.

All affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. Accellion’s services are no longer being used, all data has been removed from Accellion’s systems, and file transfer processes and tools have been reviewed and are being updated to prevent similar breaches in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.