Share this article on:
A roundup of privacy and security incidents recently reported by HIPAA-covered entities and business associates that involved the exposure of disclosure of protected health information.
Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners
Northwest Eye Surgeons LLC and Sight Partners LLC have started notifying 20,838 patients that some of their protected health information was stored on a server that was accessed by an unauthorized third party.
The breach was detected on May 1, 2020 and an investigation was immediately launched to determine the extent and scope of the breach. A third-party cybersecurity firm was engaged to assist with the investigation, and the review of the affected server was completed on July 31, 2020. A different IT firm was then engaged on August 7, 2020 to identify all protected health information stored on the server to determine which patients were affected.
The review revealed the server contained information such as patients’ names, dates of birth, Social Security numbers, driver’s license numbers, ID numbers, financial account and credit card information, medical information and insurance information.
No evidence was found to indicate patient information was removed from the server or has been misused, but out of an abundance of caution, affected patients have been offered complimentary membership to Equifax Credit Watch Gold credit monitoring, identity theft protection, and dark web monitoring services for two years.
Email Breach at Distributor Affects 3,429 Users of DJO Mobility Products
DJO, LLC, a Lewisville, TX-based provider of medical technologies to improve patient mobility, is alerting 3,429 patients that some of their protected health information has potentially been accessed by an unauthorized individual in an email breach at a former independent distributor.
An email account used by an employee of All Pro Sports was compromised in a phishing attack. The email account was accessed and used to send phishing emails to individuals in the employee’s contact list. An analysis of the email account revealed it contained limited information relating to users of DJO products in the central Florida. The exposed information was limited to names, addresses, email addresses, dates of birth, physician names, product information, information related to the product prescription, and for a limited number of individuals, Medicare numbers.
The email breach was discovered by All Pro Sports on August 17, 2020 and steps were immediately taken to secure the account. DJO conducted a thorough investigation of the incident, engaged a leading IT forensics company to assist with the investigation, and confirmed that no other systems or information were involved. Affected patients were notified about the breach in October.
Lawrence General Hospital Reports Data Security Incident
Lawrence General Hospital in Massachusetts has reported a data security incident in which unauthorized individuals potentially accessed a limited amount of patient information. A security breach was identified on September 19, 2020 which disrupted its IT systems. The investigation revealed an unauthorized individual gained access to its systems on September 9, 2020. Access was possible until September 19 when the network was secured.
The compromised systems contained patient names, internal patient ID numbers, insurance type, internal visit ID numbers and, for a very limited number of patients, some clinical information. The Social Security numbers of 5 patients were also potentially compromised.
Notifications were sent to affected individuals on November 5, 2020. Lawrence General Hospital said enhancements have been made to its intrusion detection systems in response to the breach.
The breach was reported to the HHS’ Office for Civil rights as affecting 176,587 individuals.
Spreadsheet Error Exposed Limited PHI of Mary Rutan Hospital Patients
Mary Rutan Hospital in Bellefontaine, OH has discovered a limited amount of patient information has been exposed due to a spreadsheet error. A link was added to the hospital’s website to provide information on Diagnosis Related Groups; a patient classification system that standardizes prospective payment to hospitals. DRG payments covers charges associated with an inpatient stay at the hospital.
The link directed individuals to a spreadsheet which was discovered to have multiple tabs, on which limited patient information was visible. Two of the tabs contained patient names, patient account numbers, birth dates, dates of service, reasons for visit, DRG codes, visit costs, insurance payment amounts, adjusted amounts, and any balances due for 1,677 patients. High risk data were not included on the spreadsheet.
No evidence was found to indicate the information was viewed by unauthorized individuals. The link was deactivated the same day the error was discovered.
Tri-State Specialists Notifies 17,500 Patients About Email Error
Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is notifying 17,050 patients about an incident that resulted in the impermissible disclosure of their names and email addresses to a small number of current and former patients.
On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.
In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future. The importance of data privacy has been re-emphasized with the workforce.