Share this article on:
Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported.
St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed.
University of North Carolina Reports Theft of Dental Patients’ ePHI
A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information.
Affected patients have been offered one year of credit monitoring services, staff have been retrained on the proper procedures for storing patient health information and disciplinary sanctions have been imposed on the individual who had been issued with the devices.
Family Services Rochester: Systems Hacked; ePHI Potentially Viewed; Data Encrypted
Family Services Rochester in Minnesota has discovered that some of its systems were compromised by a hacker. The accessed part of its computer system contained a range of sensitive electronic information including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical insurance numbers and medical information.
Access to the computer system was first gained on December 26, 2016 and continued until January 25, 2017, when the attacker installed ransomware that encrypted a range of sensitive data. The incident is being investigated internally and by law enforcement and affected individuals have been offered credit monitoring services to protect them against identity theft.
St. Joseph’s Hospital and Medical Center Breach: Improper Access by Employee
The electronic protected health information of 623 patients of Dignity Health’s St. Joseph Hospital and Medical Center in Phoenix, AZ., has been improperly accessed by one of the center’s employees. The part-time employee was discovered to have accessed the records of patients without any legitimate work purpose for doing so between October 1, 2016 and November 22, 2016. The types of data accessed include patients’ names, demographic data, diagnostic information, clinical information (including doctor’s orders) and medication records. No Social Security numbers or financial data were accessed. The employee in question is not believed to have accessed the records with malicious intent and patients are not believed to be at risk of identity theft. Dignity Health says “appropriate action has been taken in response to the event.”
Lexington Medical Center – Employee Information Accessed by an Unauthorized Individual
Lexington Medical Center, in Lexington, SC., has discovered that a database – eConnect/Peoplesoft – containing the sensitive information of employees has been accessed by an unauthorized individual. The database contained the types of information criminals seek when sending W-2 Form phishing emails. In this case, the database does not appear to have been accessed as a result of an employee falling for such a scam. The data accessed includes the names and Social Security numbers of employees, but no patient information. Action has been taken to secure the database to prevent further access by unauthorized individuals.
Healthcare Data Breaches Reported to Office for Civil Rights in February 2017
Other recent healthcare data breaches reported to the Department of Health and Human Services Office for Civil Rights in February include:
| Covered Entity | Location | Entity Type | Records Breached | Cause of Breach |
| Universal Care, Inc. DBA Brand New Day | CA | Health Plan | 14,005 | Unauthorized Access/Disclosure |
| Family Medicine East, Chartered | KS | Healthcare Provider | 6,800 | Theft |
| Walgreen Co | IL | Healthcare Provider | 4,500 | Unauthorized Access/Disclosure |
| Catalina Post-Acute Care and Rehabilitation | AZ | Healthcare Provider | 2,953 | Improper Disposal |
| Jeffrey D. Rice, O.D., L.L.C. | OH | Healthcare Provider | 1,586 | Theft |
| Benesch, Friedlander, Coplan & Aronoff LLP | OH | Business Associate | 1,134 | Unauthorized Access/Disclosure |
| Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service | AZ | Healthcare Provider | 500 | Unauthorized Access/Disclosure |