UW Health Discovers 4-Month Breach of Its MyChart Portal

University of Wisconsin Hospitals and Clinics Authority has reported a breach of its Epic MyChart portal which has affected 4,318 UW Health patients. Unusual activity was detected in the portal and an investigation was launched on April 20, 2021, to determine the nature and extent of the breach.

The investigation ran until May 4, 2021, and determined unauthorized individuals had access to the portal for a period of around 4 months, with dates of access ranging from December 27, 2020 to April 13, 2021.

UW Health said the individual had viewed the MyChart patient portal homepage which displays clinical information such as hospital admission dates, appointment reminders, care team, subject lines of messages from providers, and prompts to view new test results. Pages were also accessed that included some patient appointment and admission dates, demographic information such as names, addresses, phone numbers, and email addresses, health insurance and claims information, diagnoses, medications, and test results. Notification letters were sent to affected patients starting on June 18, 2021.

UW Health has taken steps to improve security such as strengthening password security, implementing 2-factor authentication for access to the MyChart portal, deactivating accounts that have been inactive for 15 months, and enhancing its monitoring processes.

Jones Family Dental Computers Hacked

Jones Family Dental in Ashland, OR, has reported a hacking incident in which the protected health information of 6,493 current and former patients was potentially compromised. An investigation was launched following the detection of suspicious computer activity, which revealed its computers had been accessed by an unauthorized individual between April 15, 2021, and April 18, 2021.

It was not possible to determine whether computers containing patient information were accessed, but the possibility could not be ruled out. The practice does not believe any patient data was accessed or exfiltrated; however, notification letters were sent to affected individuals as a precaution.

Patient information on the computer network at the time of the breach included the following data elements: name, address, date of birth, driver’s license number, treatment notes, health history, diagnostic information, and/or health/dental insurance information.

Security policies and procedures are being reviewed and will be updated to prevent similar breaches in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.