HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Orthopaedics Practice Discovers Year-Long Email Breach Affecting 125,000 Patients

The Centers for Advanced Orthopaedics has discovered multiple employee email accounts have been accessed by unauthorized individuals. The practice, which serves patients in Virginia, Maryland, and Washington DC, identified suspicious activity in its email system on September 17, 2020. Third party cybersecurity experts were engaged to assist with the investigation and determined several email accounts had been accessed by unauthorized individuals between October 2019 and September 2020.

A review of the affected email accounts was conducted to determine the types of information that had been exposed and it was confirmed on January 25, 2021 that protected health information may have been viewed or acquired by cybercriminals.

The email accounts contained information of patients, employees, and their dependents. Patient information was mostly restricted to names, dates of birth, diagnoses, and treatment information. A subset of patients also had one or more of the following data types stored in the account: Social Security number, driver’s license number, passport number, financial account information, payment card information, or email/username and password.

Employee and dependent information was mostly limited to date of births, medical diagnoses, treatment information, Social Security numbers, and driver’s license numbers. A subset included one or more of the following: passport number, financial account information, payment card information, or email/username and password.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Notifications were sent to affected individuals starting March 25, 2021. Complimentary credit monitoring and identity restoration services have been offered to affected individuals.

Policies and procedures and security infrastructure are being reviewed and will be updated to improve protections from these types of breaches.

Vendor Email Breach Impacts Patients of Remedy Medical Group

Administrative Advantage, a vendor that provides billing support to the Californian pain management specialty practice Remedy Medical Group, has discovered the email account of an employee was accessed by an unauthorized individual. Suspicious activity was detected in the email account in July 2020 and an investigation was launched to determine the nature and scope of the breach. Third-party security experts assisted with the investigation and determined on August 18, 2020 that the email account had been accessed by unauthorized individuals between June 23, 2020 and July 9, 2020.

At the time of the breach the email account contained the protected health information of Remedy Medical Group patients, which included names, financial account information, Social Security numbers, driver’s license and/or state identification numbers, credit and/or debit card information, dates of birth, passport numbers, electronic signature information, username and password information, medical record numbers, Medicare numbers, Medicaid numbers, treatment locations, diagnoses, health insurance information, and lab test results. The types of information potentially compromised varied from patient to patient.

Further to the breach, security measures have been reviewed and additional training has been provided to the workforce on email security. Individuals potentially at risk of identity theft have been offered access to identity theft protection services at no cost. The breach has been reported to the HHS’ Office for Civil Rights as affecting 4,852 individuals.

Email Error Discovered Affecting Dallas County Jail Inmates

Parkland Health and Hospital System has discovered an email error that resulted in the protected health information of individuals incarcerated in the Dallas County jail system being sent to an individual not authorized to view the information.

The email was sent in error to a Dallas County employee which contained lab test invoices that included inmates’ first and last name, date of birth, and name of the diagnostic test provided.

The breach occurred in February 2020. Parkland Health and Hospital System officials were informed by the recipient of the email that the message had not been read and was permanently deleted the day it was received. The 1,594 individuals affected have been notified.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.