Work Health Solutions, a San Jose, CA-based occupational health services provider, has confirmed that the protected health information of 13,157 individuals has been exposed and potentially obtained by unauthorized individuals who had access to an employee email account between February 16, 2-022 and March 24, 2022.
Following an investigation by third-party cybersecurity professionals, Work Health Solutions determined that the email account contained files that included the information of individuals who had received services from the company. The manual review of those files concluded on October 11, 2022. Work Health Solutions then verified contact information and sent notifications on November 9, 2022.
The exposed files contained names, Social Security numbers, driver’s license numbers, health insurance information, and/or medical information. Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. Work Health Solutions said it continuously evaluates and modifies its practices to improve privacy and security, which includes educating its workforce regarding privacy matters.
Epic Management Email Account Breach Affects More Than 10,500 Individuals
The healthcare management company, Epic Management LLC, has recently announced that unauthorized individuals gained access to its digital environment and accessed files and data stored in its email system. Epic Management did not disclose when the breach occurred but said the review of affected files was complex and time-consuming, and that process was completed on December 9, 2022.
The information in the email system included first and last names, dates of birth, Social Security numbers, health insurance information, medical information, driver’s licenses, passport numbers, financial account numbers and routing numbers, biometric data, usernames and passwords, and/or payment card numbers and expiration dates and/or security codes.
Credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed and updates have been made to its cyber environment to prevent similar incidents in the future.
NYC Health + Hospitals Alerts Patients About Loss of Device Containing PHI
NYC Health + Hospitals says a defective hard drive that contained the protected health information of 2,174 patients was discovered to be missing from a visual field testing device located at its NYC Health + Hospitals/Woodhull facility in Brooklyn, NY. Because the drive could not be located it was not possible to tell if the data on the device could be accessed, but it was confirmed that the device contained patients’ names, dates of birth, medical record numbers, and visual field test results.
In response, NYC Health + Hospitals has re-educated staff on its policy for the proper chain of custody for devices containing protected health information when those devices are taken out of service. Further, a new policy has been implemented that requires PHI to be removed from visual testing devices on a regular basis. Training has also been enhanced to ensure all employees are aware of the need to promptly notify officials about potential breaches of PHI.
Missouri Law Firm Discovers Unauthorized System Access
Polsinelli PC, a Kansas City, MO-based law firm that provides corporate legal services to hospitals, says files that contained patient information were accessed on September 9, 2022, from two locations by unauthorized individuals. A third-party cybersecurity firm was engaged to investigate the breach and determined that its network and main document repository were not affected; however, the files that were accessed included limited patient information, including names, addresses, Social Security numbers, birth dates, medical record numbers, patient account numbers, health insurance information, and very limited clinical information. Patients of St. Luke’s Health Brazosport are known to have been affected.
Credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved, although the law firm does not believe that any of the compromised information will be used for identity theft or fraud. The breach has been reported to the HHS’ Office for Civil Rights as affecting 1,220 individuals.
Patient Data Exposed in Cyberattack on Hawaiian Eye Center
Hawaiian Eye Center in Wahiawa, HI, has recently started notifying certain patients that some of their protected health information was stored on a server that was accessed by unauthorized individuals. The server was discovered to be unresponsive on November 2, 2022, with the investigation confirming the server and the network had been accessed by an unauthorized individual. The investigation confirmed that files containing patient information had been exfiltrated from its system by the attackers.
Those files contained names, addresses, email addresses, dates of birth, Social Security Numbers, driver’s license numbers, medical record numbers, and health insurance information. Affected individuals have been notified and provided with single-bureau credit monitoring services. Third-party cybersecurity experts have been engaged to conduct a review of its security practices and systems, and appropriate upgrades will be implemented to prevent further incidents in the future.
It is currently unclear how many individuals have been affected.
The Elizabeth Hospice Identifies Insider Data Breach
The Elizabeth Hospice, a non-profit hospice with locations in Carlsbad, Escondido, San Diego, and Temecula, CA, has discovered that a former employee had been forwarding emails from her work email account to a personal account while she was employed by the hospice. A review of the emails was completed on November 14, 2022, and confirmed they contained first and last names, dates of admission, dates of discharge, patient account numbers, and basic health information. The Elizabeth Hospice said it is unaware of any actual or attempted misuse of patient data but has advised affected individuals to be vigilant and monitor their accounts and statements for unauthorized activity.
It is currently unclear how many individuals have been affected.
The post Six Data Breaches Reported by Healthcare Providers and Business Associates appeared first on HIPAA Journal.