A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General.
Californian EHR Vendor Reports Breach of 77,652 Records
Further information has been obtained on a data breach reported to the HHS’ Office for Civil Rights on June 2, 2022, by Clinivate, a Pasadena, CA-based provider of EHR solutions for behavioral health agencies and schools.
According to a breach notification to the California Attorney General, unusual activity was detected in its digital environment on March 23, 2022. A forensic investigation confirmed that an unauthorized third party had gained access to its network, and on May 25, 2022, it was determined that files containing the protected health information of individuals were accessed by that third party between March 12, 2022, and March 21, 2022.
The files included the protected health information of 77,652 individuals, including names, medical record numbers, health plan beneficiary numbers, treatment information, diagnosis information, other medical information, and information about payments for medical services.
Clinivate has notified affected individuals and said it has implemented additional security measures to prevent further data breaches.
McLaren Port Huron Hospital Confirms PHI of 49,000 Individuals Compromised in Cyberattack at MCG Health
McLaren Port Huron Hospital has said the protected health information of certain patients has been compromised in a cyberattack at one of its former business associates, MCG Health. MCG Health provides patient care guidelines to many health plans and almost 2,600 hospitals in the United States. On March 25, 2022, MCG Health discovered an unauthorized third party had obtained data from its network that included data elements such as names, Social Security numbers, medical codes, postal addresses, phone numbers, email addresses, dates of birth, and gender. Many MCG Health clients were affected by the incident.
McLaren Port Huron Hospital said it was notified about the breach on June 9, 2022, and that the delay in being notified meant it has not conducted its own investigation to determine the probability of an actual compromise of patient data but has sent notifications to all affected individuals to warn them of the possibility that their PHI has been stolen. McLaren Port Huron Hospital stopped using MCG Health in 2019.
The data breach has been reported to the HHS’ Office for Civil Rights as affecting 48,957 McLaren Port Huron Hospital patients. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.
Kaiser Permanente Reports Theft of iPad Containing PHI
Kaiser Permanente has started notifying certain individuals that some of their protected health information was stored on an iPad that was stolen from a locked storage area at the Kaiser Permanente Los Angeles Medical Center. An unknown individual broke into the storage area and stole the iPad, and also obtained the password that provided access to the device.
The device was used at a Kaiser Permanente COVID-19 testing site, and included photographs of COVID-19 specimen labels and protected health information such as names, medical record numbers, dates of birth, and the dates and locations of service. The theft was discovered the same day and Kaiser Permanente remotely deleted the data on the device, including all photographs.
Kaiser Permanente said it has moved devices containing PHI to a more secure location and has strengthened its internal practices and procedures. Kaiser Permanente said the iPad contained the protected health information of approximately 75,000 health plan members.
Blue Cross and Blue Shield of Massachusetts Reports Third-Party Data Breach
Blue Cross and Blue Shield of Massachusetts (BCBSofMA) has recently confirmed that a data breach at a business associate has exposed the protected health information of some of its health plan members. The breach occurred at LifeWorks US Inc, which provides services related to the administration of the Retirement Income Trust, which includes making payments to pension beneficiaries.
Around June 20, 2022, a former employee of LifeWorks emailed spreadsheets to a personal email account and copied the email to the personal email account of another former LifeWorks employee. The spreadsheets contained the protected health information of individuals who were eligible for or were receiving benefits from BCBSofMA.
The former employees maintained that the spreadsheets were sent to preserve the formula used, and that attempts were made to delete all protected health information in the spreadsheets; however, some PHI remained. The former employees said they did not further disclose the information in the spreadsheets and have now deleted the spreadsheets from their personal email accounts. The information that remained in the spreadsheets was limited to names, addresses, Social Security numbers, and some pension benefit information.
BCBSofMA has reported the breach as affecting 4,855 individuals and has offered 24 months of complimentary identity theft and credit monitoring services to affected individuals. LifeWorks said it is taking steps to prevent any recurrences of incidents such as this.
Business Associate Ransomware Attack Affects Blue Shield of California Health Plan Members
A subcontractor of a vendor used by Blue Shield of California (BSofC) has suffered a ransomware attack in which the protected health information of members of BSofC and the BSofC Promise Health Plan may have been accessed or obtained. The ransomware attack was detected on April 28, 2022, by OneTouchPoint (OTP), which was a subcontractor used by business associate Matrix Medical Network.
OTP said it immediately terminated the unauthorized access to the network and launched an investigation into the breach. While it could not be confirmed if files containing health plan members’ protected health information were viewed or obtained, the possibility could not be ruled out. The files potentially accessed included names, subscriber ID numbers, diagnoses, medications, patient addresses, dates of birth, sex, physician demographics information, advance directives, family histories, social histories, allergies, vitals, immunizations, encounter data, assessment ID numbers, and assessment dates.
The data breach has been reported to the HHS’ Office for Civil Rights as affecting 1,506 health plan members. Affected individuals have been offered a complimentary 12-month membership to a credit monitoring and identity theft protection service.
The post Recent Hacks, Malware, and Device Theft Incidents Affect 208,000 Individuals appeared first on HIPAA Journal.