Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI

Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed.

Washington Health System Greene Discovers Hard Drive Missing

Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard drive was discovered to be missing.

A portable hard drive used with a bone densitometry machine in the Radiology department was discovered to be missing on October 11, 2017. While it is possible that the hard drive may have been misplaced, a search of the hospital did not uncover the device, and the missing device has been reported to the Pennsylvania State Police Department as a potential theft.

The device contained information on patients who visited the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was limited to names, height, weight, race, and gender, while some patients also had details of health issues, the name of their prescribing physician, and medical record numbers stored on the device. No financial information, Social Security numbers, insurance details, or other highly sensitive information was exposed.

As required by HIPAA, patients have been notified of the breach. Due to the limited nature of data exposed, even if the device has been stolen, Washington Health Greene does not believe patients are at risk of identity theft or fraud.

Midland Memorial Hospital Discovers Email Account Compromise

Midland Memorial Hospital has experienced a breach of a limited amount of patients’ protected health information. More than 1,000 patients are understood to have been affected.

Midland Memorial Hospital discovered an unauthorized individual gained access to the email account of an employee at the hospital, in what appears to be an attempted Business Email Compromise (BEC) attack. The aim of the attacker appeared to be to fool employees into making bank account transfers to an inappropriate bank account.

The breach was discovered on October 13, 2017, with access to the email account believed to have been gained on or around October 10.  Upon discovery of the security breach, access the email account was terminated and a full investigation was conducted. The email account was determined to contain some protected health information including first and last names, medical record numbers, account numbers, and information relating to radiology procedures that had been performed at the hospital between August and September 2017. No financial information, driver’s license numbers, or Social Security numbers were exposed, and no evidence has been uncovered to suggest any patient information has been used inappropriately.

Midland Memorial Hospital has taken steps to prevent further incidents of this nature from occurring, including revising policies and procedures and retraining staff.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.