PHI of up to 50,000 Patients of Arizona Asthma and Allergy Institute Exposed Online

Arizona Asthma and Allergy Institute in Peoria, AZ has discovered the protected health information of up to 50,000 patients has been temporarily exposed online and could potentially have been accessed by an unauthorized individual.

The affected patient data had been exposed for a brief period in September 2020 under the name of a different organization. Upon discovery of the security incident, a third-party computer forensics firm was engaged to investigate and determine the scope of the security breach and the extent to which patient data had been affected.

The investigation confirmed on March 8, 2021 that the types of data exposed included first and last names, patient identification numbers, provider names, health insurance information, and treatment cost information. Affected patients had received medical services from the Arizona Asthma and Allergy Institute between October 1, 215 and June 15, 2020.

While the exposure of data was confirmed, no evidence was found to indicate any patient data has been misused; however, affected patients have been advised to monitor their explanation of benefits statements for any signs of fraudulent activity.

Arizona Asthma and Allergy Institute has since taken steps to enhance security to prevent any similar incidents in the future.

Package of Documents Containing PHI of 4,571 Patients is Lost in Transit

Irvine, CA-based Exceltox Laboratories has notified 4,571 individuals about the potential exposure of some of their protected health information.

Exceltox is a CLIA-certified laboratory that provides clinical and toxicology testing services, including COVID-19 tests. On February 15, 2021, Exceltox sent a package containing documents related to COVID-19 tests performed for patients via UPS to its document scanning vendor.

Exceltox believed that the package had been safely delivered, but later discovered the package had not arrived at its intended destination. Exceltox worked with UPS to try to locate the missing package but it has not yet been found. According to UPS documentation, an attempt was made to deliver the package, but the offices of the document scanning company were closed. The package was returned to the depot for redelivery, but the package was never redelivered. Efforts are continuing to try to locate the missing package.

The documents in the package included full names, addresses, phone numbers, Social Security numbers, dates of birth, genders, medical provider names, patient IDs, test types, collection dates, insurance provider names, insurance plan names, and policy numbers and/or group numbers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.