Newly Reported Health Care Data Breaches Could Affect Thousands

Across the U.S., several health care organizations are reporting cybersecurity incidents that could affect thousands of individuals.

Associated Dentists

Associated Dentists in Minnesota is notifying patients that their information could have been compromised following an incident on March 19 in which two laptops were stolen, Health IT Security reports.

One of the devices was encrypted, while the other was password-protected but not encrypted. Information on the computers included:

• Addresses;
• Birth dates;
• Names; and
• Social Security numbers.

In some cases, compromised information also included:

• Diagnoses;
• Email addresses;
• Insurer names and policy numbers;
• Physician names and information; and
• Procedure and billing information.

Associated Dentists has not been notified that any information has been misused. The company will provide identity protection and restoration services for one year to affected individuals.

The number of patients affected has not been disclosed. However, it is likely that the incident affected the information of at least 500 individuals because Associated Dentists is notifying HHS, certain state regulators and statewide media, Health IT Security reports. Under HHS rules, such notification is required if the breach affects at least 500 individuals (Snell, Health IT Security, 5/19).

Beacon Health System

Beacon Health System in Indiana is notifying about 220,000 patients of a breach that could go back as far as November 2013, Health Data Management reports.

According to Beacon Health, the incident occurred when unauthorized individuals accessed multiple email inboxes at the delivery system via a phishing attack. Information in the email inboxes was last accessed by the attackers on Jan. 26 (Goedert, Health Data Management, 6/1). Officials began investigating the incident on March 25 (McCann, Healthcare IT News, 5/27).

The attack affected the system’s two hospitals, as well as affiliated physicians, according to a spokesperson.

Information compromised in the incident varies, but could include:

• Birth dates;
• Diagnoses;
• Driver’s license numbers;
• Names;
• Patient identification numbers;
• Patient statuses;
• Physician names;
• Service dates;
• Treatments; and
• Other information from medical records.

In a notice, the health system said, “While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes” involved in the phishing incident.

Beacon will offer affected individuals no-cost credit monitoring and identity protection services for one year (Health Data Management, 6/1).

Buffalo Heart Group

Buffalo Heart Group in New York has reported a data breach affecting up to 600 patients, Health IT Security reports.

In a statement, law firm Hurwitz-Fine said, “The recently completed internal investigation indicated insider wrongdoing resulted in the access of certain health information by unnamed third parties operating under the direction of a physician then associated with the medical practice and used by the physician to solicit patients in connection with the physician’s new employment.”

The breach, which occurred last year, involved information on patients':

• Addresses;
• Appointment schedules;
• Bill information;
• Dates of birth;
• Names; and
• Telephone numbers.

Officials said that Social Security numbers, health information and financial information were not affected.

Hurwitz-Fine said no precautionary or preventive measures are necessary because there has been no indication of unauthorized access since June 2014 (Snell, Health IT Security, 6/1).

Consolidated Tribal Health Project

Consolidated Tribal Health Project in California has reported that a former employee might have accessed patient and employee information inappropriately, Health IT Security reports.

The former employee accessed certain systems that contained patient and employee information, including:

• Addresses;
• Birth dates;
• Financial information;
• Health insurance information;
• Medical information;
• Names; and
• Social Security numbers.

In addition, the employee accessed systems that contained the driver’s license numbers of some CTHP employees.

CTHP has not specified the number of individuals that could be affected.

The group said it began notifying affected individuals in mid-May. CTHP also said it will provide affected individuals with one year of no-cost credit monitoring and identity protection services (Health IT Security, 5/19).

Jersey City Medical Center

Jersey City Medical Center in New Jersey is reporting a data breach that could affect 1,400 individuals, Health IT Security reports.

The breach occurred when a medical center worker accidentally sent via email a spreadsheet with patient information to an unauthorized recipient. Affected information included patients':

• Admission and discharge dates;
• Health insurance information;
• Medical center account number;
• Medical services; and
• Names.

According to the medical center, “The unintended recipient informed the medical center of the mistake on the same day that the email was sent.” It added, “The medical center attempted to obtain official confirmation that the email was completely deleted and [that] the information was not further disclosed. Unfortunately, such confirmation has not yet been received” (Health IT Security, 6/1).

New York City Health and Hospitals Corporation

New York City Health and Hospitals Corporation is notifying about 90,000 patients that their data were compromised when a former employee transferred files that contained protected health information to her personal email account and a new work-related email account, Becker’s Health IT & CIO Review reports.

The former employee said she sent the files in case “she had to respond to questions about her past work at” New York City HHC’s Jacobi Medical Center.

The emails included:

• Addresses;
• Birth dates;
• Medical record numbers;
• Patient Names;
• Some health insurance identification, including Social Security numbers;
• Some sensitive health information;
• Telephone numbers;
• Treatment dates; and
• Types of services provided.

There is no evidence that anyone besides the employee involved in the incident used the information contained in the emails, or that the information was misused, according to Health IT & CIO Review.

The incident occurred Feb. 19 and was discovered Feb. 27 (Jayanthi, Becker’s Health IT & CIO Review, 5/21). New York City HHC learned of the breach through its information governance and security program, which monitors and detects email communications that include PHI or other confidential information that are sent out of its network without authorization (Walsh, Clinical Innovation & Technology, 5/29).

Unity Recovery Group

New Hampshire-based Unity Recovery Group has notified the state’s attorney general of a data breach that occurred between April 2014 and March of this year.

The company in a statement said the breach “involved the disclosure of [patients’] personal information to one or more unaffiliated recovery and/or rehabilitation service providers, without [their] prior written consent.” Information potentially affected by the breach included patients':

• Addresses;
• Certain health-related information;
• Dates of birth;
• Email addresses;
• Insurance information;
• Names;
• Telephone numbers; and
• Social Security numbers.

Following the breach, Unity has:

• Added technological security measures;
• Adopted additional training policies for its employees;
• Hired outside legal counsel to assist in investigating the breach; and
• Hired a technology forensic firm to improve the security of the company’s IT systems.

Unity also is offering one year of no-cost identity and credit protection services to affected patients (Health IT Security, 6/1).

View the original content and more from this author here: http://ift.tt/1M0XkrV

from health IT caucus http://ift.tt/1eNfMKn
via IFTTT