Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach

Federal Data Privacy Act

Share this article on:

The Pennsylvania physician-owned radiology practice, Quantum Imaging and Therapeutic Associates, has announced reports have been received about a non-physician employee who allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group.

The sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports,” no further information has been released about the breach pending the results of the investigation. The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by ‘thousands’ of people.

US HealthCenter Discovered Email Account Breach

The health risk management corporation, US HealthCenter has discovered an email account has been accessed by an unauthorized individual, who may have viewed or obtained the personal and protected health information of members of the Cost Plus World Market’s (Cost Plus) Wellness Program.

The breached email inbox was used to receive completed Annual Preventive Screening affidavits from participants. Questions from Wellness Program participants about the program were also sent to the email account. US HealthCenter discovered the unauthorized access on April 13, 2020 when the account was used to send phishing emails to Cost Plus wellness plan participants. During the time that the account was accessible, the unauthorized individual was able to view and forward emails.

The review of emails in the account showed they contained participants’ names, employee numbers, dates of birth, physician signatures, dates of exams, and limited health information.

The account was immediately secured and the email account is now hosted on a new Microsoft Office 365 platform, which has better security protections and multi-factor authentication has been added to all email accounts. US HealthCenter did not find any evidence to suggest personal information has been misused.

Delaware Department of Health and Social Services Discovered Impermissible PHI Disclosure

The Delaware Department of Health and Social Services has discovered a spreadsheet containing protected health information was accidentally shared with four students.

Four seniors at the University of Delaware had requested information for a project to help them identify service gaps in the community and were sent a spreadsheet. The students required information such as the age range of individuals and their disability status but identifying information had not been removed prior to the spreadsheet being shared. The students were able to view full names, birth dates, diagnoses, and county information related to 350 individuals.

The students gave a presentation of their report via Zoom on May 8, in which data was presented that included patients’ PHI. The Delaware Department of Health and Social Services immediately ended the presentation when it was discovered protected health information had been included. The students were ordered to delete the data and the employee who sent the spreadsheet has been disciplined.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On