The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

Posted By on Aug 3, 2018

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights

System Error Exposed Data at Pennsylvania Department of Human Services

Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record.

The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail.

Lost Laptop Exposes PHI of Ambercare Patients

The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted laptop computer containing the protected health information of 2,284 patients has been lost and possibly stolen.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The laptop, which had been issued to an Ambercare employee, was discovered to be missing on May 30, 2018. The laptop was password-protected, but not encrypted. The protected health information stored on the device was required by the employee to perform work functions and included names, addresses, dates of birth, diagnostic information, clinical information, and Social Security numbers.

The loss/theft has been reported to law enforcement and employees have received further training on physical security. Since Social Security numbers were exposed, affected patients have been offered complimentary credit monitoring services through Experian for 12 months.

Email Account Compromise Discovered by San Francisco Institute on Aging

The San Francisco, CA-based Institute on Aging has discovered an unauthorized individual has gained access to the email accounts of some of its employees. The breach was discovered on May 28, 2018, although it is currently unclear for how long the email accounts were compromised.

The Institute on Aging employed expert data breach response professionals to secure its systems and manage the breach response. Messages in the compromised email accounts were checked and found to contain the protected health information of 3,907 patients. Information contained in emails and email attachments included the names of patients and employees along with email addresses, birth dates, financial records, diagnoses, treatment information, and medical payment information.

Affected individuals were notified on July 20 and were offered 12 months credit monitoring and identity theft protection services without charge.

Lost Laptop Sees PHI of Rocky Mountain Health Care Services Patients Exposed

Colorado Springs-based Rocky Mountain Health Care Services has discovered an unencrypted laptop computer issued to an employee has been stolen. The laptop contained the protected health information of 1,087 patients.

The laptop computer was stolen on May 15, 2018, prompting an immediate investigation to determine the types of information stored on the device. The investigation determined the breach was limited to names, addresses, birth dates, Social Security numbers, diagnoses, treatment plans, and prescription information. Affected individuals have been offered credit monitoring and identity theft restoration services for 12 months without charge.

This is the third laptop theft experienced by Rocky Mountain Health Care Services in the past 12 months. A laptop was discovered to have been stolen on September 28, 2017 and a mobile phone and laptop were discovered to have been stolen on June 18, 2017.

Rocky Mountain Health Care Services has now reviewed its policies and procedures on information security, has incorporated mobile device security controls, and is now encrypting data on all company laptops.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist