A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights, state attorneys general, and the media.
Wisconsin Department of Health Services: Accidental Disclosure of PHI via Email
The Wisconsin Department of Health Services (DHS) has recently confirmed that there has been an accidental disclosure of protected health information via email. According to the breach notice, a presentation was emailed to the DHS Children’s Long-Term Support Council in April 2021 that contained protected health information. The presentation was then forwarded by the Council to employees working for certain county government agencies and the presentation was posted to the DHS website as part of the meeting minutes.
The error was detected on August 8, 2022, and the file was removed from the meeting minutes and replaced with a file that did not provide access to PHI. Steps were also taken to recover all distributed copies of the presentation. The presentation contained the following types of information: first and last names, date of birth, gender, county location, Wisconsin Medicaid member ID number, and social security number of affected members of Wisconsin Medicaid.
DHS said the breach affected 12,358 Wisconsin Medicaid members, who have now been notified and offered complimentary 12-month memberships to a credit monitoring service.
Smith, Gambrell & Russell, LLP: Files Potentially Stolen in 2021 Data Breach
The international corporate law firm, Smith, Gambrell & Russell, LLP, has confirmed that an unauthorized actor gained access to its network and may have reviewed files containing client information, including data provided to the firm by Flagler Hospital in Florida, Astra Group, Modis Inc, Pontoon Solutions, Inc, Valmet Corporation, and ServiceLink and affiliated ServiceLink companies.
According to the substitute breach notification on the law firm’s website, the security breach was detected on August 9, 2021. Incident response protocols were immediately implemented, law enforcement was notified, and external cybersecurity consultants were engaged to investigate the breach. It was confirmed that the attacker accessed its network and may have removed files. A vendor was then engaged to review all affected files, and the law firm says that process has only recently been completed.
The review confirmed that the data in the affected files related to 4,688 individuals across the affected companies and included addresses, Social Security numbers, driver’s license numbers, government IDs, and medical information such as treatment, diagnosis and medical history; however, no reports have been received to indicate any misuse of personal information. Affected individuals have now been notified and have been offered credit monitoring and identity theft protection services.
Zomo Health: Plan Member Information Exposed Over the Internet
Houston, TX-based Zomo Health, a provider of health management solutions, has recently announced that a spreadsheet containing plan member information has been exposed over the Internet. On August 5, 2022, Zomo Health discovered a spreadsheet was accessible on its website. Access to the spreadsheet was immediately blocked, with the investigation confirming it had been made accessible on January 15, 2022, as a result of human error. The spreadsheet contained the protected health information of 1,359 individuals including plan member names, dates of birth, Social Security numbers, health plan names, work addresses, phone numbers, email addresses, and information regarding participation in health plan incentives.
Zomo Health said the process vulnerability that led to the spreadsheet being exposed has been remediated and a third-party security company has been retained to assess the security of its technology systems on an ongoing basis and enhance its security controls. Affected individuals were notified on September 29, 2022.
Detroit Health Department: Unauthorized Disclosure of PHI to Third Party
The Detroit Health Department (DHD) has recently announced that there has been an unauthorized disclosure of clients’ protected health information. According to the breach notice, on May 12, 2022, DHD discovered that there had been an unauthorized disclosure of information in its office to a third party. The information disclosed included names, addresses, dates of birth, contact information, gender, race, marital status, household size, and participation status in certain Detroit Health Department programs. DHD said the breach did not affect all DHD clients, but it is currently unclear exactly how many individuals have been affected. Those individuals are now being notified by mail and have been provided with information on the steps that they can take to protect against identity theft and fraud.
The post Wisconsin Department of Health Services Reports Breach of 12,000 Records appeared first on HIPAA Journal.