HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities.

Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection

The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection.

On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data.

The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab test results, medications, driver’s license numbers, insurance billing information, bank routing numbers, bank account numbers, employee payroll data, and for Medicare patients, Social Security numbers.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Tillamook Chiropractic Clinic removed the malware on August 3, 2018 and has now modernized and upgraded its computer security systems and policies.

Gwinnett Medical Center Investigating Possible Hack

A possible data breach has occurred at Lawrenceville, GA-based Gwinnett Medical Center. The PHI of approximately 40 patients has been accessed by an unauthorized individual according to Gwinnett Medical Center spokeswoman Beth Hardy. Names, genders, and dates of birth were exposed on Twitter and notification letters are being sent to those 40 individuals to alert them to the breach.

However, the breach could be far larger. Steve Ragan at Salted Hash reported that a source at the medical center said threats had been received from the attackers and that the breach potentially impacts hundreds of patients. The attackers allegedly posted data on Twitter as they claimed the medical center was attempting to cover up the breach.

Gwinnett Medical Center has informed the FBI about the security breach and is still conducting investigations into the cyberattack.

Hardy said, “GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data.”

Toyota Industries North America Breach Impacts 19,000 Individuals

Columbus, IN-based Toyota Industries North America (TINA) has announced that approximately 19,000 current and former employees and health plan participants of the TINA family of companies have been informed that some of their PHI has been exposed. An unauthorized individual succeeded in gaining access to a small number of company email accounts and potentially viewed/copied PHI.

The breach was discovered on August 30 and information security experts were called in to help secure its system and investigate the breach. A wide range of PII and PHI were present in the compromised email accounts including first and last names, home addresses, dates of birth, phone numbers, financial account information, social security numbers, photographs of social security cards, driver’s license numbers, photographs of driver’s licenses, email addresses, photographs of birth certificates, photographs of passports, treatment information, prescription information, diagnoses, health plan beneficiary numbers and portal usernames, passwords and security questions.

All affected individuals have been notified by mail and have been offered a year of free credit monitoring and identity theft protection services. TINA has taken several steps following the breach to improve security, including implementing multi-factor authentication, making real-time security monitoring enhancements, and revising its password protection and password resetting policies. TINA is also currently reviewing and updating user training and technology and security practices to reduce the risk of further email breaches.

722 Patients Affected by Kansas City Business Associate Mis-mailing Incident

The Kansas City, MO-based revenue cycle management company, Pulse Systems, has announced that the PHI of 722 patients of Lincoln Pulmonary and Critical Care in Nebraska has been impermissibly disclosed. An error was made sending statements on July 27 that resulted in individuals receiving statements intended for other patients. The statements included only included names and procedure information. Steps have now been taken to prevent similar errors from being made in the future and all affected individuals have been notified about the privacy breach.

Oklahoma Department of Human Services Mis-mailing Incident Affects 813 Individuals

More than 800 parents and guardians who were involved in a developmental disabilities services program run by the Oklahoma Department of Human Services (ODHS) have been notified that some of their PHI has been impermissibly disclosed as a result of a computer software error. The error resulted in envelopes being mis-addressed in Plan of Care change notice mailings sent between May 17 and July 25.

The mailings contained names, addresses, DHS case numbers, Medicaid client ID numbers, plan of care numbers, providers’ names, services authorized and beginning and end dates, and an explanation that the person is authorized to receive Medicaid Home and Community-Based Waiver Services. No Social Security numbers were disclosed.

ODHS believes 813 individuals have received mailings containing someone else’s information, although it is not possible to tell if any other individuals have been affected.

Email Account Breaches Result in Exposure of 16,000 Individuals’ PHI

Ransom Memorial Hospital in Ottawa, KS, has discovered an unauthorized individual has gained access to an as of yet undisclosed number of email accounts which have been determined to contain the PHI of 14,239 individuals. A further email account breach was detected by Lakewood, CO-based Personal Assistance Services of Colorado, which has resulted in the exposure of 1,839 individuals’ PHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.