HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ohio Patients Suffer First Hacking-Related Data Breach

Members of the Huntington Bancshares’ wellness program in Ohio have been notified of a data breach in which their healthcare information was potentially compromised. Close to 4,500 state residents have been affected. This is the first large scale data breach to affect Ohio residents.

The data breach did not occur at Huntington Bancshares, but was part of a data breach affecting a Business Associate (BA) of StayWell Health Management LLC, Onsite Health Diagnostics. The data breach exposed 60,652 records in total, with hacker’s first gaining access to the database on January 4 of this year. The data breach was discovered on March 25, although a breach notice was delayed and has only just been released.

Hackers were able to gain access to a scheduling database of Onsite Health Diagnostics. The information was being used for health screening purposes.

The data exposed was limited to Personally Identifiable Information (PII). No health, insurance or financial data was exposed, and neither were Social Security numbers. Patient names, addresses, dates of birth, gender, email addresses and phone numbers were compromised in the incident. Members of the wellness program were notified by mail on July 28, 2014 and were offered a year of credit monitoring services without charge.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Following the data breach, Huntington Bancshares has announced that StayWell is no longer a vendor for the bank.

The network server incident at StayWell Health resulted in four separate breach notices being submitted to the Department of Health and Human Services’ Office for Civil Rights in February of this year. The breach involved Virginia’s Dominion Resources program and Motorola Mobility in Illinois, with 1,700 and 940 affected respectively. Approximately 18,600 members of health plans in Missouri, California and Minnesota were affected, as were members of Nissan North America and Qbe Holdings.

This is one of a number of successful hacking incidents that have been reported in recent months. Earlier this year NRAD Medical Associates suffered at the hands of a hacker with 97,000 records exposed, while over a million records were compromised in an attack on the Montana Department of Public Health and Human Services last month.

With hackers now appearing to be targeting healthcare providers and health plans, covered entities may need to improve defenses to ensure PHI is not exposed. They should also conduct an assessment of their Business Associates to make sure they too are complying with HIPAA regulations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.