PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls

Share this article on:

People Incorporated Mental Health Services, a provider of integrated behavioral and mental health services in Minnesota, is notifying 27,500 patients that some of their protected health information was exposed in an email account breach between April 28, 2020 and May 4, 2020.

Prompt action was taken to block further access to the email accounts and an investigation was launched to determine the nature and scope of the breach. Assisted by third-party cybersecurity experts, and after conducting a manual document review, People Incorporated discovered on September 8, 2020 that the email accounts contained patients’ personal and protected health information. While third party access to the email accounts had occurred, no evidence was found to indicate any information was stolen or has been misused.

The PHI in the compromised accounts included names, dates of birth, addresses, treatment information, insurance information, and medical record numbers and, for a limited number of individuals, Social Security numbers, financial account information, health insurance information, and driver’s license or state identification numbers. Credit monitoring services have been offered to individuals whose Social Security number was potentially compromised.

People Incorporated has taken steps to ensure threats are identified and remediated more rapidly in the future, additional technical security measures have been implemented, and further training has been provided to employees on the identification and handling of malicious messages.

PHI Potentially Compromised in My Choice HouseCalls Burglary

My Choice HouseCalls, an in-home primary care provider in Jacksonville, Florida, experienced a break-in at its administrative offices on or around September 3, 2020 and several computers were stolen. The theft was reported to law enforcement, but the stolen equipment has not been recovered.

A forensic examination confirmed the computers contained the following types of patient information: Names, addresses, provider names, provider routes, facilities where patients are located, patient profile pictures, types of visits, medical histories, diagnoses,  durable medical equipment supplier names, the companies providing home health services and their notes, insurance information and patient and provider contact information.

My Choice HouseCalls is now implementing whole drive encryption to prevent the exposure of patient information in the event of another burglary. The breach report submitted to the HHS’ Office for Civil Rights shows 3,370 patients have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On