UNC Health Care Breach Potentially Impacts 24,000 Patients
A computer used by UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen, exposing the protected health information of approximately 24,000 patients.
The computer was stolen by thieves during a burglary on October 8, 2017. UNC Health Care said a database on the stolen computer contained the protected health information of patients who had previously visited the Burlington Dermatology Center at 1522 Vaughn Road. UNC Healthcare took over the practice in September 2015, and details of patients who had visited the center for treatment prior to September 2015 were stored in the password-protected database.
Since the database requires a password to gain access to patient information, it is possible that no PHI has been disclosed. However, since passwords can be guessed, and the database was not encrypted, patients are being notified of the potential privacy breach to meet HIPAA and N.C. Identity Theft Act requirements.
The database contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, and the employment status of patients and the names of employers at the time of their visit. While it is possible that diagnosis codes were also present in the database, UNC Health Care does not believe details of diagnoses, treatments, and prescriptions have been exposed.
The burglary has been reported to law enforcement and an investigation is ongoing, but the stolen computer has not been recovered to date.
As a precaution against identity theft and fraud, all patients impacted by the breach have been offered credit monitoring services for 12 months without charge.
CCRM Minneapolis Alerts Patients of Ransomware Attack
CCRM Minneapolis, P.C., has experienced a ransomware attack that has potentially allowed the attackers to gain access to the protected health information of 3,280 patients.
The attack occurred on or around October 3, 2017. While data access and PHI theft are not suspected, and no evidence was uncovered to suggest this was anything other than an extortion attempt involving the encryption of data, CCRM Minneapolis reports that data stored on the compromised server may have been viewed.
Data potentially exposed includes names, phone numbers, addresses, dates of birth, email addresses, driver’s license numbers, Social Security numbers, medical records, and insurance identification numbers.