Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights

System Error Exposed Data at Pennsylvania Department of Human Services

Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record.

The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail.

Lost Laptop Exposes PHI of Ambercare Patients

The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted laptop computer containing the protected health information of 2,284 patients has been lost and possibly stolen.

The laptop, which had been issued to an Ambercare employee, was discovered to be missing on May 30, 2018. The laptop was password-protected, but not encrypted. The protected health information stored on the device was required by the employee to perform work functions and included names, addresses, dates of birth, diagnostic information, clinical information, and Social Security numbers.

The loss/theft has been reported to law enforcement and employees have received further training on physical security. Since Social Security numbers were exposed, affected patients have been offered complimentary credit monitoring services through Experian for 12 months.

Email Account Compromise Discovered by San Francisco Institute on Aging

The San Francisco, CA-based Institute on Aging has discovered an unauthorized individual has gained access to the email accounts of some of its employees. The breach was discovered on May 28, 2018, although it is currently unclear for how long the email accounts were compromised.

The Institute on Aging employed expert data breach response professionals to secure its systems and manage the breach response. Messages in the compromised email accounts were checked and found to contain the protected health information of 3,907 patients. Information contained in emails and email attachments included the names of patients and employees along with email addresses, birth dates, financial records, diagnoses, treatment information, and medical payment information.

Affected individuals were notified on July 20 and were offered 12 months credit monitoring and identity theft protection services without charge.

Lost Laptop Sees PHI of Rocky Mountain Health Care Services Patients Exposed

Colorado Springs-based Rocky Mountain Health Care Services has discovered an unencrypted laptop computer issued to an employee has been stolen. The laptop contained the protected health information of 1,087 patients.

The laptop computer was stolen on May 15, 2018, prompting an immediate investigation to determine the types of information stored on the device. The investigation determined the breach was limited to names, addresses, birth dates, Social Security numbers, diagnoses, treatment plans, and prescription information. Affected individuals have been offered credit monitoring and identity theft restoration services for 12 months without charge.

This is the third laptop theft experienced by Rocky Mountain Health Care Services in the past 12 months. A laptop was discovered to have been stolen on September 28, 2017 and a mobile phone and laptop were discovered to have been stolen on June 18, 2017.

Rocky Mountain Health Care Services has now reviewed its policies and procedures on information security, has incorporated mobile device security controls, and is now encrypting data on all company laptops.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.