Utah Ransomware Attack Impacts 320,000 Patients

The Utah physician group, Premier Family Medicine, is notifying 320,000 patients that some of their protected health information has potentially been compromised as a result of a recent ransomware attack.

The attack occurred on July 8, 2019 and temporarily prevented access to patient data and certain systems. According to the August 30, 2019 breach notice on its website, the physician group notified law enforcement and engaged the services of technical consultants to investigate the breach and regain access to its systems and patient data. It is unclear whether the ransom demand was paid. The breach affected all ten of its Utah County locations.

“Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” said Premier Family Medicine chief administrator, Robert Edwards.

Community Psychiatric Clinic Breaches Impact 15,537 Patients

Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has experienced three email security breaches that have affected a total of 15,537 patients.

Sound, a Washington provider of mental health and addiction treatment services, has recently announced it is combining its services with those of Community Psychiatric Clinic. The merger is expected to be completed in the fall of 2019.

Currently, limited information is available on the breaches. No press releases appear to have been issued and there is no mention of the breaches on the Sound website. The Department of Health and Human Services’ Office for Civil Rights’ breach portal lists three separate incidents, all reported on August 15, 2019. Those incidents affected 3,030, 6,641, and 5,866 patients.

HIPAA Journal contacted Sound requesting further information on the incident(s), but no response has been received to date.  Further information on the Community Psychiatric Clinic breach will be posted here as and when further information becomes available.

Alive Hospice Breach Notification Breaches Further Patient Information

Tennessee-based Alive Hospice experienced a data breach earlier this year which warranted notifications to affected patients. Those notifications were sent on July 3, 2019; however, a mail merge error caused letters to be sent to incorrect recipients.

The letters did not contain any patient information other than the name of the intended recipient. Anyone receiving the letter would know that the intended recipient was a patient of the Alive Hospice.

Alive Hospice has notified all affected individuals by mail and steps have been taken to prevent similar mailing errors in the future. It is currently unclear how many patients have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.