Prisma Health Website Breach Potentially Impacts 22,000 Individuals

Prisma Health Midlands is notifying approximately 19,000 patients and 3,000 employees about a data breach involving the Palmetto Health website.

Prisma Health – formerly Palmetto Health – learned on August 29, 2019 that an unauthorized individual had obtained the login credentials of a Prisma Health employee. Those credentials allowed the attacker to access the Palmetto Health website, which contained volunteer registration information and patient pre-registration forms that had been completed online.

Those forms related to 6 Midlands hospitals and contained information such as names, addresses, dates of birth, limited health information and, for certain individuals, their Social Security number. No medical records or financial information were exposed. Prisma Health was not able to determine for how long the credentials were accessible.

Upon discovery of the incident, the employee’s password was changed to prevent any further unauthorized access and policies and procedures are being updated to prevent similar breaches in the future. Affected individuals have been notified by mail and individuals whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Prisma Health has suffered multiple privacy breaches this year. In April, Prisma Health announced it had been the victim of a phishing attack that saw the email accounts of several employees accessed by an unauthorized individual. The PHI of 23,811 individuals was exposed as a result of the attack. A further privacy breach was announced in July when a notebook containing the PHI of OB/GYN patients from its Richland Campus in Columbia was discovered to have been stolen from a physician’s car. Information on up to 2,770 individuals was recorded in the notebook.

Seattle Cancer Care Alliance Email Error Exposed Patients’ Email Addresses

944 patients of Seattle Cancer Care Alliance (SCCA) have had their email addresses exposed to other patients as a result of an error by a member of staff when sending an August 27, 2019 email invitation.

Rather than adding email addresses to the blind carbon copy (BCC) field, thus shielding the recipients’ email addresses from each other, the email addresses were added to visible fields and could be seen by all individuals who received the email invitation. No other information was disclosed.

SCCA is now evaluating its systems, policies and procedures and safeguards will be implemented to prevent similar breaches in the future. Notification letters were sent to affected patients on October 16, 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.