HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Compromised in Incidents at CorrectHealth, UF Health Shands, Peter Brasseler, & Gifted Healthcare

CorrectHealth Notifies 54,000 Patients About November 2021 Email System Breach

Alpharetta, GA-based CorrectHealth, which provides healthcare services for inmates at correctional facilities, is notifying patients about a breach of its email environment. The breach was detected on November 10, 2021, with the investigation confirming several employee email accounts had been accessed by an unauthorized individual. Legal counsel for CorrectHealth said the third-party forensic investigation of the data breach concluded on January 28, 2022, and confirmed patients’ protected health information was present in the breached email accounts.

A comprehensive review of the affected accounts was conducted between March 2022 and July 2022 to determine the specific information that was affected, which confirmed names, addresses, and Social Security numbers had been exposed. CorrectHealth said it is unaware of any misuse of patient information.

Notification letters were sent on August 25, 2022, and complimentary credit monitoring and identity theft protection services have been offered to affected individuals. In response to the breach, CorrectHealth has implemented additional safeguards, including deploying an advanced phishing service, putting disclaimers on all externally received emails, implementing multi-factor authentication for administrative staff, and a single sign-on solution for clinical staff. CorrectHealth is also conducting weekly data security and monthly simulated phishing training for all employees.

The breach was reported to the Maine attorney general as affecting 54,066 individuals.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Email Accounts breached at Gifted Healthcare

Metairie, LA-based Gifted Healthcare has reported a security breach involving the protected health information of its patients. While the incident appeared to be confined to a single email account, the investigation revealed three email accounts had been compromised between August 25, 2021, and December 10, 2021. Gifted Healthcare did not say when the breach was detected, but the review of the affected email accounts was completed on July 25, 2022. Notification letters were sent to affected individuals on August 25, 2022.

Data compromised in the incident included names, addresses, driver’s license numbers, Social Security numbers, financial information, health insurance information, and medical information. The breach was reported to the Maine attorney general as affecting 13,770 individuals.

Ransomware Attack Impacts Brasseler Patients

Savannah, GA-based Peter Brasseler Holdings, LLC, has recently confirmed it was the victim of a ransomware attack. The attack was detected on June 24, 2022, with the investigation confirming files containing individuals’ protected health information were stored on parts of the affected systems and may have been viewed or obtained in the incident. The breach also affected its subsidiaries, Brasseler U.S.A. Dental, LLC and Brasseler U.S.A. Medical, LLC.

The investigation into the breach is ongoing, but it has been confirmed that the following types of information were potentially compromised: names, government-issued identification numbers such as Social Security numbers, driver’s license numbers, and passport numbers; financial account information, such as debit card and credit card numbers; medical and insurance information; and other information, such as dates of birth.

The breach was reported to the Maine attorney general as affecting 3,353 individuals. Affected individuals have been offered a complimentary 24-month membership to Experian’s IdentityWorks credit monitoring and identity theft protection service.

UF Health Shands Employee Snooped on Records of Almost 1,000 Patients

UF Health Shands has recently confirmed that a former employee accessed the records of 941 patients without authorization between April 27, 2021, and July 21, 2022. When the unauthorized access was detected, the employee’s access to patient information was suspended pending a full investigation, which confirmed that the employee viewed patient information such as names, addresses, phone numbers, diagnoses and conditions, and some health insurance information.

UF Health Shands said the individual is no longer employed by UF Health Shands.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.