Seattle Indian Health Board and Florida Hospital Announce Privacy Breaches

On August 10, 2016, Seattle Indian Health Board discovered the email account of an employee had been hacked, potentially giving the attacker access to sensitive patient data including names, dates of birth, patient ID numbers, Social Security numbers and other PHI stored in the account.

It would appear that the email account was not hacked for the purpose of stealing patient health information, although it is possible that patient data were viewed during the time the account was compromised. The breach was rapidly identified and the email system was shut down within four hours of the account being compromised. During that time the attacker had managed to send emails from the account to unknown individuals, although no emails containing patient health information were forwarded from the account.

Security controls were in place to ensure that any account compromise was rapidly identified, although additional security measures are now being implemented to reduce the risk of future email account breaches. All employees were required to reset their passwords and have received training on the importance of password security. Additional password control measures have now been adopted to ensure all employees set strong passwords. The email system is also scheduled to be upgraded to a more secure system.

An in-depth investigation of the email account revealed 793 patients were potentially impacted by the breach. Due to the rapid identification of the breach and the nature of the actions performed by the attacker, the risk to patients is believed to be low.

Boxes of Patient Files Missing After Storage Unit Move

Officials at Florida Hospital in Orlando have discovered boxes of patient health records were lost while being transferred between storage facilities. The boxes of files, which contained the sensitive information of as many as 6,000 patients, were supposed to have been moved from a secure storage unit operated by Access to an Iron Mountain facility. However, on or around August 17, hospital officials discovered the boxes had been misplaced.

While the files are still missing, theft is not suspected. It is believed the files are located at either storage facility and have just been misplaced. A search of both facilities is being conducted; however, after almost two months the boxes had still not been located. Florida Hospital has now started notifying patients of the potential privacy breach. Out of an abundance of caution, patients have been offered a year of identity theft protection services in case the files have been stolen or accessed by unauthorized individuals.

Patients affected by the incident had received medical services at Newman Family Medicine, Vascular Institute of Central Florida, Longwood Family Health, Orthopaedics and Sports Medicine of Central Florida, East Orlando General Surgery, Orlando Family Medicine, or Advanced Adult and Pediatric Medicine.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.