Patient Data Compromised in Email Breaches in Indiana, New York & Wisconsin
Email accounts have been compromised in security incidents at Tower Clock Eye Center in Wisconsin, DMEScripts in Indiana, and General Physician, P.C. in New York.
Tower Clock Eye Center
Tower Clock Eye Center in Green Bay, Wisconsin, has identified unauthorized activity in its email system. A security breach was detected on July 9, 2024, and action was taken to prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate and determine the extent of the unauthorized activity. The investigation confirmed that a limited number of employee email accounts had been accessed by an unauthorized third party who may have viewed or obtained patient data.
The breach was confined to email accounts, which were found to contain limited patient data. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: address, date of birth, financial account number, payment card number, medical record number, patient ID or account number, Medicare number, Medicaid number, health insurance information, medical diagnosis, treatment information, treatment date(s) and location(s), doctor name, medical lab/test result(s), Social Security number, and or driver’s license number.
No evidence was found to suggest that any of that information has been misused; however, the affected individuals have been advised to monitor their accounts for signs of unauthorized activity. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 10,737 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
General Physician, P.C.
General Physician, P.C. (GPPC), a medical group serving Western New York, has experienced a breach of its email tenant. Suspicious activity was identified on June 12, 2024, and on or around August 6, 2024, it was confirmed that there had been unauthorized activity within a GPPC account between April 6, 2024, and June 12, 2024.
The investigation could not determine what information was accessed in the incident, but it has been confirmed that the unauthorized actor had the ability to access patient data such as full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information.
The file review has not yet been completed, so the breach was reported to the HHS’ Office for Civil Rights using a placeholder of 501 affected individuals. General Physician subsequently notified OCR that 167,387 individuals had some of their protected health information compromised in the incident.
DMEscripts
DMEscripts, an Indianapolis, IN-based e-prescribing platform provider, has reported a breach of the protected health information of 9,993 patients. On or around April 22, 2024, DMEscripts identified suspicious activity in an employee’s email account. The account was secured and an investigation was launched that confirmed unauthorized access to the account. It was not possible to tell what emails were opened or if any of the emails were copied. The review of the account confirmed it contained information provided by its customers, which may have included names, dates of birth, medical information, and/or health insurance information. Notifications have now been mailed to the affected individuals and email security has been reviewed.
