A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state attorneys general.
Blue Shield of California
Blue Shield of California has started notifying certain health plan members about a privacy violation by one of its employees. A spreadsheet containing plan members’ names, phone numbers, email addresses, addresses, Social Security numbers, and/or Taxpayer ID numbers was emailed from the employee’s work account to a personal email address on June 17, 2022. Blue Shield of California’s Privacy Officer, David Keystone, said the privacy breach was discovered on October 30, 2022, and the employee was interviewed and instructed to delete the email and any copies of the spreadsheet.
The incident has prompted Blue Shield of California to strengthen its system detection tools to prevent further impermissible disclosures of PHI. As a precaution against identity theft, affected individuals have been offered complimentary access to a credit monitoring and identity theft protection service for 12 months.
HIPAA Journal has not been able to confirm how many individuals have been affected.
Medstar Mobile Healthcare
Medstar Mobile Healthcare, which operates an emergency and non-emergency ambulance service in Tarrant County, TX, has recently announced that it was the victim of a cyberattack in which patient information was potentially compromised. Suspicious network activity was detected on October 20, 2022, and it was later confirmed that an unauthorized third party had gained access to parts of the network where patient data was stored. It was not possible to determine if those files had been accessed or copied. The review of the files revealed they mostly included non-financial billing information only; however, some individuals also had their full name, date of birth, contact information, and limited medial information exposed. The investigation into the breach is ongoing.
HIPAA Journal has not been able to confirm how many individuals have been affected.
Pediatrics West & Allergy West
Pediatrics West & Allergy West in Massachusetts have notified 1,364 patients that some of their protected health information was stored on a system that was accessed by unauthorized individuals. The breach was detected on October 17, 2022, with the forensic investigation confirming the unauthorized access occurred between August 19, 2021, and August 15, 2022. The files on the system included names, contact information, demographic information, dates of birth, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and/or health insurance information. Pediatrics West said it has implemented additional safeguards and technical security measures to further protect and monitor its IT infrastructure.
The Louis A. Johnson VA Medical Center
The Louis A. Johnson Veterans’ Administration Medical Center in West Virginia has recently announced a privacy breach involving the protected health information of 736 individuals. An error was made in a mailing to veterans which resulted in their full Social Security numbers being visible on the letters. Affected veterans have been notified by mail and have been offered complimentary access to credit monitoring services. The VA has also formed a work group to investigate mailing processes to assess potential vulnerabilities, and additional controls will be put in place to prevent similar errors in the future.
The post Privacy Breaches Reported by Blue Shield of California and VA Medical Center appeared first on HIPAA Journal.