COVID-19 Vaccination Statuses of 500,000 VA Employees have been Impermissibly Disclosed

By | December 7, 2022

The COVID-19 vaccination statuses of approximately 500,000 Department of Veterans Affairs employees have been impermissibly disclosed. According to the VA, a spreadsheet containing employee names and their vaccination statuses was placed on SharePoint without appropriate access permissions being set and an email with a link to the spreadsheet was sent on behalf of the Veterans Health Administration (VHA) Healthcare Operations Center to VHA VISN directors, deputy network directors, administrative representatives, central office senior leaders, and healthcare ops controllers. The spreadsheet also included details of claimed religious and medical exceptions to COVID-19 vaccination.

The internal investigation conducted by the VA’s Data Breach Response Service concluded the information had been impermissibly disclosed and the spreadsheet was removed from SharePoint. The VA concluded that there was a low risk of misuse of that information.

Urology of Greater Atlanta Notifies Almost 80,000 Patients About August 2021 Data Breach

In October 2022, Urology of Greater Atlanta in Georgia reported a data breach to the HHS’ Office for Civil Rights that had affected 79,795 patients. At the time it was unclear exactly how that information was breached. Urology of Greater Atlanta has now confirmed that it was the victim of a cyberattack that was detected on August 29, 2021. According to the substitute breach notice recently added to the Urology of Greater Atlanta website, the forensic investigation revealed an unauthorized third party had access to its network between August 8, and August 29, 2021.

When the breach was detected, third-party forensics experts were engaged to investigate the breach and secure its systems. The investigation confirmed that the medical records database and billing/practice management system were not accessed; however, documents on the network were potentially viewed or obtained that included protected health information such as names, addresses, birth dates, ages, date(s) of service, patient account numbers, diagnoses and treatment information, medical histories, and similar information found in medical charts. In some cases, Social Security numbers, driver’s license numbers, or financial account information, were also exposed.

Urology of Greater Atlanta said it has been working extensively with third-party security experts to better protect its systems, and additional safeguards have now been put in place, including replacing certain components and changing remote access protocols. Notification letters are now being sent and complimentary identity theft protection services are being offered. Urology of Greater Atlanta said no evidence of misuse of patient information was identified. Urology of Greater Atlanta did not explain why it took 15 months to issue notifications.

Salud Family Health Reports Data Breach Affecting 80,000 Individuals

Salud Family Health, a Fort Lupton, CO-based Federally Qualified Health Center (FQHC) with 13 clinics in Colorado, has recently announced that an unauthorized third party gained access to its network. The intrusion was detected on September 5, 2022, and third-party computer specialists were engaged to investigate the nature and scope of the breach.

The investigation determined that files containing patient and employee information may have been viewed or stolen. The review of those files revealed they contained information such as names, Social Security numbers, driver’s license numbers, government-issued ID numbers, financial information, medical information, and health insurance information. Salud Family Health said impacted employees and patients have been offered free credit monitoring and identity fraud protection services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, but the notification sent to the Texas Attorney General indicates up to 80,621 individuals have been affected.

Orlando Health Employee Email Account Breached

Orlando Health has recently notified 3,662 patients that some of their protected health information was stored in an employee’s email account that was accessed by an unauthorized individual. The email account was accessed between July 5, 2022, and July 13, 2022. Orlando Health said that based on the role of the employee, there was no expectation that the email account contained any patient information; however, the review of the contents of the account revealed on September 19, 2022, that emails and attachments in the account contained certain demographic and clinical information and, for certain patients, health insurance information and/or Social Security numbers.

It was not possible to tell which emails in the account were accessed or if any emails or attachments were downloaded. Notification letters started to be sent to affected individuals on November 18, 2022. The review of the emails is ongoing, and additional letters will be mailed to individuals who are later determined to have been affected. Complimentary credit monitoring and identity protection services have been offered to individuals who had their Social Security numbers exposed. Orlando Health said it is reinforcing education with its staff and is implementing additional security enhancements to its email environment.

The post COVID-19 Vaccination Statuses of 500,000 VA Employees have been Impermissibly Disclosed appeared first on HIPAA Journal.