HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported.

St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed.

University of North Carolina Reports Theft of Dental Patients’ ePHI

A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information.

Affected patients have been offered one year of credit monitoring services, staff have been retrained on the proper procedures for storing patient health information and disciplinary sanctions have been imposed on the individual who had been issued with the devices.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Family Services Rochester: Systems Hacked; ePHI Potentially Viewed; Data Encrypted

Family Services Rochester in Minnesota has discovered that some of its systems were compromised by a hacker. The accessed part of its computer system contained a range of sensitive electronic information including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical insurance numbers and medical information.

Access to the computer system was first gained on December 26, 2016 and continued until January 25, 2017, when the attacker installed ransomware that encrypted a range of sensitive data. The incident is being investigated internally and by law enforcement and affected individuals have been offered credit monitoring services to protect them against identity theft.

St. Joseph’s Hospital and Medical Center Breach: Improper Access by Employee

The electronic protected health information of 623 patients of Dignity Health’s St. Joseph Hospital and Medical Center in Phoenix, AZ., has been improperly accessed by one of the center’s employees. The part-time employee was discovered to have accessed the records of patients without any legitimate work purpose for doing so between October 1, 2016 and November 22, 2016. The types of data accessed include patients’ names, demographic data, diagnostic information, clinical information (including doctor’s orders) and medication records. No Social Security numbers or financial data were accessed. The employee in question is not believed to have accessed the records with malicious intent and patients are not believed to be at risk of identity theft.  Dignity Health says “appropriate action has been taken in response to the event.”

Lexington Medical Center – Employee Information Accessed by an Unauthorized Individual

Lexington Medical Center, in Lexington, SC., has discovered that a database – eConnect/Peoplesoft – containing the sensitive information of employees has been accessed by an unauthorized individual. The database contained the types of information criminals seek when sending W-2 Form phishing emails. In this case, the database does not appear to have been accessed as a result of an employee falling for such a scam. The data accessed includes the names and Social Security numbers of employees, but no patient information. Action has been taken to secure the database to prevent further access by unauthorized individuals.

Healthcare Data Breaches Reported to Office for Civil Rights in February 2017

Other recent healthcare data breaches reported to the Department of Health and Human Services Office for Civil Rights in February include:


Covered Entity Location Entity Type Records Breached Cause of Breach
Universal Care, Inc. DBA Brand New Day CA Health Plan 14,005 Unauthorized Access/Disclosure
Family Medicine East, Chartered KS Healthcare Provider 6,800 Theft
Walgreen Co IL Healthcare Provider 4,500 Unauthorized Access/Disclosure
Catalina Post-Acute Care and Rehabilitation AZ Healthcare Provider 2,953 Improper Disposal
Jeffrey D. Rice, O.D., L.L.C. OH Healthcare Provider 1,586 Theft
Benesch, Friedlander, Coplan & Aronoff LLP OH Business Associate 1,134 Unauthorized Access/Disclosure
Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service AZ Healthcare Provider 500 Unauthorized Access/Disclosure

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.