University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years

University of Florida Health Shands has discovered a former employee has accessed the medical records of 1,562 patients without authorization.

The HIPAA violations were discovered on April 7, 2021 and the employee’s access to medical records was immediately terminated pending an investigation. The investigation confirmed the employee had been accessing patient medical records without a work reason for doing so from March 30, 2019 to April 6, 2021.

The types of information that could have been viewed included names, addresses, phone numbers, birth dates, and lab test results, but no Social Security numbers, financial information, or health insurance information was compromised.

University of Florida Health Shands does not believe any PHI has been stolen or further disclosed; however, out of an abundance of caution, affected individuals have been offered one year of complimentary credit monitoring services.

Third Party Breach Affects St. Paul’s PACE Patients

Community Eldercare of San Diego, dba St. Paul’s PACE, has been affected by a breach at one of its vendors. PeakTPA is a health plan management company that provides billing and other administrative services to St. Paul’s PACE. PeakTPA suffered a cyberattack on December 31, 2020 in which the records of certain St. Paul’s PACE patients were compromised.

While the cybercriminal organization behind the attack was not disclosed in its breach notice, PeakTPA said the gang was broken up by the FBI on January 27, 2021 and was informed that all documents stolen in the attack were recovered. The timing suggests the attack may have been conducted by the Netwalker ransomware gang.

PeakTPA said information accessed by the attackers included names, addresses, dates of birth, medication information and Social Security numbers. Affected individuals have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 3 years. PeakTPA said additional security measures have now been implemented to prevent similar breaches in the future.

Cyberattack Impacts 29,000 St. John’s Well Child and Family Center Patients

St. John’s Well Child and Family Center, Inc. in West Sacramento, CA is notifying 29,030 individuals that some of their protected health information was potentially viewed or acquired in a cyberattack on February 3, 2021.

Upon discovery of the attack, steps were immediately taken to secure its systems and third-party cybersecurity experts were engaged to assist with the investigation. The investigation confirmed that the attackers potentially viewed or acquired protected health information such as names, Social Security numbers, and other personal or health information.

Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.