One Community Health Patients Notified About April 2021 Cyberattack and Data Theft

Sacramento, CA-based One Community Health has recently notified patients that its systems were compromised between April 19 and April 20, 2021. An unauthorized individual was discovered to have gained access to systems containing the personal and protected health information of certain employees and patients.

A comprehensive forensic investigation was conducted by a third-party cybersecurity firm to determine the nature and scope of the attack, and One Community Health was notified on October 6, 2021, that the attacker had exfiltrated files from its network that included full names and one or more of the following data elements: Address, other demographic information, telephone number, email address, date of birth, Social Security number, driver’s license number, insurance information, diagnosis information, and treatment information.

Notification letters started to be sent to all affected patients on November 22, 2021. There have been no reported cases of identity theft or fraud; however, complimentary credit monitoring services have been offered to affected individuals as a precaution against identity theft and fraud.

One Community Health said it has been working with cybersecurity experts to augment its defenses against cyberattacks, and has improved endpoint detection, email security, and has signed up for 24×7 managed detection response.

The HHS’ Office for Civil Rights Breach Portal indicates 39,865 patients have been affected.

Email Error by Eye Care Product Manufacturer Results in PHI Disclosure

Alcon, a provider of eye care products, has discovered an email error that resulted in the disclosure of certain patients’ protected health information to healthcare providers not authorized to view the information.

On October 5, 2021, Alcon emailed patients’ protected health information to healthcare providers to facilitate billing. The emails were supposed to only contain information about each healthcare providers’ patients; however, a technical error meant the emails contained the information of patients of other healthcare providers.

The emails contained a limited amount of information about patients who had recently received an Alcon intraocular lens implant, namely, first and last names, device serial numbers, dates of implant, and treating physician names.

All healthcare providers who received the email were contacted and told to delete the email and Alcon has reviewed and updated its policies and procedures to prevent similar breaches in the future. Due to the nature of the information disclosed and the entities that received the information, Alcon does not believe any patient information will be used inappropriately.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.