HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Incidents Recently Reported by Healthcare Providers and Business Associates

A roundup of privacy and security incidents recently reported by HIPAA-covered entities and business associates that involved the exposure of disclosure of protected health information.

Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners

Northwest Eye Surgeons LLC and Sight Partners LLC have started notifying 20,838 patients that some of their protected health information was stored on a server that was accessed by an unauthorized third party.

The breach was detected on May 1, 2020 and an investigation was immediately launched to determine the extent and scope of the breach. A third-party cybersecurity firm was engaged to assist with the investigation, and the review of the affected server was completed on July 31, 2020. A different IT firm was then engaged on August 7, 2020 to identify all protected health information stored on the server to determine which patients were affected.

The review revealed the server contained information such as patients’ names, dates of birth, Social Security numbers, driver’s license numbers, ID numbers, financial account and credit card information, medical information and insurance information.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

No evidence was found to indicate patient information was removed from the server or has been misused, but out of an abundance of caution, affected patients have been offered complimentary membership to Equifax Credit Watch Gold credit monitoring, identity theft protection, and dark web monitoring services for two years.

Email Breach at Distributor Affects 3,429 Users of DJO Mobility Products

DJO, LLC, a Lewisville, TX-based provider of medical technologies to improve patient mobility, is alerting 3,429 patients that some of their protected health information has potentially been accessed by an unauthorized individual in an email breach at a former independent distributor.

An email account used by an employee of All Pro Sports was compromised in a phishing attack. The email account was accessed and used to send phishing emails to individuals in the employee’s contact list. An analysis of the email account revealed it contained limited information relating to users of DJO products in the central Florida. The exposed information was limited to names, addresses, email addresses, dates of birth, physician names, product information, information related to the product prescription, and for a limited number of individuals, Medicare numbers.

The email breach was discovered by All Pro Sports on August 17, 2020 and steps were immediately taken to secure the account. DJO conducted a thorough investigation of the incident, engaged a leading IT forensics company to assist with the investigation, and confirmed that no other systems or information were involved. Affected patients were notified about the breach in October.

Lawrence General Hospital Reports Data Security Incident

Lawrence General Hospital in Massachusetts has reported a data security incident in which unauthorized individuals potentially accessed a limited amount of patient information. A security breach was identified on September 19, 2020 which disrupted its IT systems. The investigation revealed an unauthorized individual gained access to its systems on September 9, 2020. Access was possible until September 19 when the network was secured.

The compromised systems contained patient names, internal patient ID numbers, insurance type, internal visit ID numbers and, for a very limited number of patients, some clinical information. The Social Security numbers of 5 patients were also potentially compromised.

Notifications were sent to affected individuals on November 5, 2020. Lawrence General Hospital said enhancements have been made to its intrusion detection systems in response to the breach.

The breach was reported to the HHS’ Office for Civil rights as affecting 176,587 individuals.

Spreadsheet Error Exposed Limited PHI of Mary Rutan Hospital Patients

Mary Rutan Hospital in Bellefontaine, OH has discovered a limited amount of patient information has been exposed due to a spreadsheet error. A link was added to the hospital’s website to provide information on Diagnosis Related Groups; a patient classification system that standardizes prospective payment to hospitals. DRG payments covers charges associated with an inpatient stay at the hospital.

The link directed individuals to a spreadsheet which was discovered to have multiple tabs, on which limited patient information was visible. Two of the tabs contained patient names, patient account numbers, birth dates, dates of service, reasons for visit, DRG codes, visit costs, insurance payment amounts, adjusted amounts, and any balances due for 1,677 patients. High risk data were not included on the spreadsheet.

No evidence was found to indicate the information was viewed by unauthorized individuals. The link was deactivated the same day the error was discovered.

Tri-State Specialists Notifies 17,500 Patients About Email Error

Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is notifying 17,050 patients about an incident that resulted in the impermissible disclosure of their names and email addresses to a small number of current and former patients.

On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.

In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future. The importance of data privacy has been re-emphasized with the workforce.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.