Four email-related data breaches have recently been reported by U.S healthcare providers, along with an unspecified cyberattack on a mental health and addiction treatment provider.
12,000 Patients Impacted by Email Breach at Arkansas Otolaryngology Center
Little Rock, AR-based Arkansas Otolaryngology Center is alerting 12,000 patients about an email security breach discovered on July 17, 2020. An unauthorized individual was discovered to have gained access to the email account of an employee and was using the account to send unauthorized messages.
Assisted by a third-party computer forensics company, Arkansas Otolaryngology Center determined that four email accounts had been compromised between July 17, 2020 and July 27, 2020. It was not possible to determine whether any emails in the accounts had been subjected to unauthorized access during the time the accounts were accessible.
A review of emails and email attachments in the compromised accounts revealed they contained the following types of protected health information: names, dates of birth, medical record numbers, Social Security numbers, diagnoses, doctors’ names, driver’s license numbers, state identification card numbers, insurance group numbers, treatment locations, and treatment or procedure types or codes. A limited number of individuals also had financial account information exposed.
Upon discovery of the breach a full password reset was performed, and additional technical safeguards have since been implemented to prevent further email breaches. Individuals affected by the breach have been offered complimentary credit monitoring services.
Centerstone of Indiana Email Breach Impacts 11,638 Patients
Centerstone of Indiana, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual.
Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account.
The protected health information of 11,638 patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised.
Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided on the steps that should be taken to reduce the risk of misuse of their data.
Centerstone reports that $800,000 has been invested on IT security infrastructure following the breach, including new software applications and security appliances. A security audit and gap assessment are being conducted by third-party security experts to identify any other areas where security can be improved. Policies and procedures are also being reassessed and further training on IT security has been provided to the workforce.
Perry County Memorial Hospital Discovers Email Security Breach
Perry County Memorial Hospital in Tell City, IN has discovered the email accounts of two employees have been accessed by unauthorized individuals.
An investigation was launched which revealed the accounts were accessed on August 23, 2020. A review of the compromised accounts confirmed they contained private patient data which could have been viewed or obtained by the attackers, although no evidence of data theft was identified.
The information potentially compromised was limited to names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information, along with a limited number of Social Security numbers, Medicare/Medicaid numbers, and health insurance information.
Perry County Memorial Hospital is taking steps to enhance email security to prevent similar breaches in the future. Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft monitoring services.
Tri-State Specialists Alerts 17,500 Patients About Email Error
Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is alerting 17,050 patients about an incident that resulted in the impermissible disclosure of names and email addresses to a small number of current and former patients.
On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.
In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future and the importance of data privacy has been re-emphasized with the workforce.
BryLin Behavioral Health Notifies Patients About Potential PHI Breach
BryLin Behavioral Health System, a provider of mental health and addiction treatment services in Buffalo, NY, is alerting certain patients that some of their protected health information was potentially compromised as a result of a cybersecurity incident that occurred in August 2020.
Unusual network activity was detected by BryLin on August 19, 2020. Immediate action was taken to secure the network and an investigation was launched which revealed its systems had been compromised on August 14, 2020. Unauthorized individuals potentially accessed documents on the compromised systems that contained patient names, dates of birth, addresses, treatment information and/or clinical information and, in some instances, patients’ Social Security numbers and/or health insurance information. The breach only affected data of patients who received medical services at BryLin hospital. Patient information from its outpatient clinic, outpatient substance use, and outpatient mental health care services was not affected.
All patients affected by the breach have now been notified and the 75 patients who had their Social Security number exposed have been offered complimentary credit monitoring services.
It is currently unclear how many individuals have been affected by the breach.
The post Email Incidents Result in the Potential Disclosure of the PHI of More Than 41,000 Patients appeared first on HIPAA Journal.