PHI of More Than 240K Patients Compromised in 5 Healthcare Data Breaches

By | January 23, 2023

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General.

BayCare Clinic Announced Pixel-Related Data Breach

The Wisconsin-based healthcare provider, BayCare Clinic, LLP, has recently announced that the protected health information of up to 134,000 of its patients has been impermissibly disclosed to unauthorized third parties as a result of the use of pixels by its partner, Advocate Aurora Health. Advocate Aurora Health previously disclosed a pixel-related data breach that resulted in the personal and protected health information of up to 3 million of its patients being disclosed to third parties such as Google and Meta. The impermissible disclosures occurred when users visited its website and patient portal while logged into either their Google or Facebook accounts.

The types of information involved depended on users’ interactions on the MyChart and LiveWell websites and applications, which may have included the following types of data: IP address, dates, times, and/or locations of scheduled appointments, proximity to a practice location, provider information, type of appointment or procedure, whether the individual had insurance cover, communications between the patient and others through MyChart, which may have included first and last names and medical record numbers, and whether the user had a proxy MyChart account, in which case the first and last name of the proxy may have been disclosed.

Advocate Aurora Health has removed the pixels and will subject all tracking technologies to more stringent checks in the future.  Further information on the nature of the breach can be found in this post.

Rhode Island Department of Health Reports Internal Data Breach

The Rhode Island Department of Health (RIDOH) has announced there has been an internal impermissible disclosure of patient information. The breach was discovered on October 21, 2022, with the investigation confirming patient information was impermissibly disclosed between July and October 2022. A hyperlink to a spreadsheet was included in emails sent to employees and the spreadsheet contained information about the individuals who were receiving food deliveries while in isolation or quarantine during the COVID-19 pandemic. The spreadsheet contained information such as names, addresses, phone numbers, household information, delivery information, and information about the specific food needs of those individuals.

Access to the file was immediately restricted when the issue was detected, and a scan was conducted on email accounts to determine whether the emails had been shared. RIDOH said it is not aware of any misuse of the exposed information. Steps have since been taken to prevent further disclosures of this nature, including providing additional training to employees on the handling of sensitive information. Approximately 8,800 individuals were affected.

DCH Health System Discovers Insider Data Breach

Tuscaloosa, AL-based DCH Health System, has recently announced that a former employee has accessed the medical records of patients without authorization. The unauthorized medical record access was discovered by DCH Health on December 9, 2022, during a routine privacy audit. The audit revealed the employee had viewed the medical records of a patient on December 5, 2022, when there was no legitimate work reason for doing so. During the subsequent investigation, DCH Health discovered this was not the first time that medical records had been accessed by the employee, as the privacy violations had been occurring since September 2021. During that time, the records of approximately 2,530 patients were impermissibly accessed. The types of information viewed included names, addresses, birth dates, Social Security numbers, dates of encounters, diagnoses, vital signs, medications, test results, and clinical/provider notes.

DCH Health said the employee was immediately suspended when the first unauthorized access was discovered and was subsequently terminated over the privacy violations. Complimentary identity theft protection services have been offered to affected patients, although DCH Health said there are no indications that any patient information has been or will be misused. DCH Health said employees will continue to be provided with HIPAA and privacy training on appropriate access, and the incident will be used to improve privacy monitoring tools and processes.

Patient Data Compromised in Rundle Eye Care Hacking Incident

Drs. Keith and Herman Rundle have recently confirmed that the protected health information of certain Rundle Eye Care patients has been accessed and potentially obtained by unauthorized individuals. According to the breach notification letters, the attack occurred “recently” and involved patient names, birth dates, and treatment information.

While data theft may have occurred, there are no indications that patient data have been or will be misused. As a precaution against the misuse of patient data, affected patients have been offered complimentary single bureau credit monitoring services for 12 months. Measures have also been taken to strengthen system security.

While ransomware was not mentioned in the breach notice, the Everest Ransomware Group claimed responsibility for the attack and says 30 GB of data was stolen, including tax records, medical records, and prescription forms.

Satellite Healthcare Reports Breach Affecting 95,000 Patients

San Jose, CA-based Satellite Healthcare has recently reported a breach of the PHI of 95,128 patients to the Texas Attorney General, including 22 Texas residents. Few details are available on the breach at this stage as the incident has yet to appear on the website of the California attorney general and there is no notice on the healthcare provider’s website.

What is known is the breach involved protected health information such as names, medical information, health insurance information, and financial information. Notifications have been issued to affected individuals by mail. Satellite Healthcare was contacted for further information on the breach, but no immediate response was received. This post will be updated when further information becomes available.

The post PHI of More Than 240K Patients Compromised in 5 Healthcare Data Breaches appeared first on HIPAA Journal.