Healthcare data breaches can be caused from a variety of incidents, such as an email phishing scam, misplaced medical records, and lost or stolen mobile devices. Without a comprehensive security plan and extensive understanding of HIPAA regulations, a facility could find itself notifying patients of a potential breach. However, even with the necessary protections in place, mistakes can still happen. From there, it is key to notify patients quickly and then make the right changes to ensure that the same incident does not take place again.
Email phishing scam hits Maryland facility
Maryland-based St. Agnes Health Care, Inc. recently posted an announcement on its website saying that one of its employees was the victim of an email phishing scam. St. Agnes said that it sent data breach notification letters to approximately 25,000 patients, warning them that their protected information was potentially exposed.
“Through a fraudulent e-mail communication, sophisticated hackers gained access to protected health information contained in an employee e-mail account,” the statement read.
Information that was possibly compromised includes patient names, dates of birth, genders, medical record numbers, insurance information, and limited clinical information. There were four cases where Social Security numbers were exposed.
“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” Saint Agnes Corporate Responsibility Officer Sharon McNamara said in a statement. “Specifically, we will continue to implement administrative, technical and physical safeguards against unauthorized access of protected health information. In this instance, we reported the incident to our email service provider and are evaluating additional ways to enhance our already robust security program.”
The statement did not specify when the breach occurred or when St. Agnes realized that an incident had taken place. However, St. Agnes is part of Ascension Health, which has had at least two other of its facilities fall victim to phishing scams recently. It has not yet been confirmed if any of the email attacks are related.
Laptop containing member data stolen from Oregon co-op
Oregon’s Health Co-op reported that a password protected laptop was stolen on April 3, 2015. The laptop contained member and dependent information, including current and former member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. However, there was no medical information on the laptop, according to Oregon’s Health.
Affected individuals can receive free identity protection services for one year, and can also have access to identity theft and fraud resolution assistance.
“We have engaged a cybersecurity firm to review the security of our systems and provide recommendations for reinforcing our security and technology protocols,” the facility explained on its website. “At this time, there is no evidence that there has been any use or attempted use of the information exposed in this incident.”
Oregon’s Health did not state how many members and dependents were possibly affected by the data breach, just that all former and current members who had data exposed, as well as their dependents will be properly notified.
However, the online question and answer section potentially revealed a disturbing aspect to the notification process, in that members may receive a notification letter meant for someone else. Oregon’s Health said it apologized for any confusion if individuals receive notice about a security incident, but the letter is addressed to another person.
“Yes, the CO-OP is notifying members about a recent security incident,” the answer read. “If you received a letter with someone else’s name, please destroy that letter. Another letter with correct information is on the way to you.”
Source: http://ift.tt/1PaIaB8
from health IT caucus http://ift.tt/1QPgRzY
via IFTTT
No comments:
Post a Comment