25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

R1 RCM Data Breach Impacts 16,000 Patients

Posted By on Mar 21, 2024

Data breaches have recently been reported by R1 RCM, St. Mary’s Healthcare System for Children, Philips Respironics, and California Correctional Health Care Services.

R1 RCM

R1 RCM Inc., a provider of revenue cycle management services to hospitals, has recently reported a breach of the protected health information of 16,121 individuals. According to a breach notice sent to the Massachusetts Attorney General, R1 learned on November 23, 2023, that protected health information associated with Dignity Health’s St. Rose Dominican Hospital de Lima was in the possession of an unauthorized third party. The hospital’s network was not compromised in the incident.

A review was conducted to determine the data types that had been obtained, and on January 11, R1 determined that the information contained names, contact information, dates of birth, Social Security numbers, location of services, clinical and/ or diagnosis information, and patient account and/or medical record numbers. R1 has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

Philips Respironics

Philips Respironics has recently reported a breach to the HHS’ Office for Civil Rights that involved the protected health information of 457,152 individuals. While the breach has recently been reported to OCR, it occurred on May 31, 2023, and involved the exploitation of a zero day vulnerability in Progress Software’s MOVEit Transfer software. Philips Respironics discovered the breach on June 5, 2023.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Two clients of Philips Respironics have recently confirmed that they have been affected: Forward Healthcare LLC and Rotech Healthcare. Forward Healthcare said it was notified by Philips Respironics on December 20, 2023, that there had been unauthorized access to the Care Orchestrator and Encore Anywhere software solutions via the MOVEit vulnerability, and personal and health information was potentially compromised. 3,999 Forward Healthcare patients were affected. Rotech Healthcare said it was notified about the incident on December 26, 2023, and was provided with a list of the affected patients. The compromised information included names, contact information, dates of birth, medical information related to the therapy delivered, and health insurance information. It is currently unclear how many Rotech patients have been affected.

St. Mary’s Healthcare System for Children, Inc.

St. Mary’s Healthcare System for Children, Inc. in Bayside, NY, identified unauthorized activity within its computer network on or around November 9, 2023, and the forensic investigation confirmed that files were removed from its network the same day. A review of those files confirmed they contained the personal information of 5,650 individuals, including names and Social Security numbers. Individual notifications were mailed to the affected individuals on March 20, 2024, and 12 months of complimentary credit monitoring services have been offered. In a comment to The HIPAA Journal, a representative of St. Mary’s Healthcare System for Children stated that “Only 254 individuals were patients whose PHI may have been viewed, the remainder were employees, former employees and other individuals whose personal information (SSNs, not PHI) may have been viewed”.

California Correctional Health Care Services

California Correctional Health Care Services (CCHCS) has recently identified an impermissible disclosure of personal information. On or around February 26, 2024, a member of staff accidentally emailed an attachment to an unauthorized recipient. The attachment contained protected health information such as last names, CDCR numbers, medical information, risk/priority levels, order types/names, reasons for appointments, and dates of appointments.

CCHCS said the recipient of the email did not open or view the attached file and CCHCS received confirmation that the attachment has been deleted and was not shared with any other individual. The employee in question has been provided with additional privacy awareness and information security awareness training. The HIPAA breach has been reported to the HHS’ Office for Civil Rights as affecting 1,348 individuals.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist