Recent healthcare data breaches include a PHI data breach, phishing attack, compromised email account, and a vendor error that won't go away.
April 19, 2018 - Blue Shield of California admitted to a PHI data breach involving an insurance broker who was not authorized to receive patient information, according to a breach notification submitted to the California Attorney General’s Office.
The Blue Shield of California Privacy Office received confirmation on March 23, 2018 that a breach had occurred in November 2017 during the 2018 Medicare Annual Enrolment Period when a Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.”
The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.
Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.
The health insurer said that individuals affected by the disclosure are eligible for free identity repair and credit monitoring services.
UnityPoint Health said in a statement emailed to HealthITSecurity.com that its email system had been hacked by a phishing attack that compromised employee email accounts.
On February 15, UnityPoint discovered the breach, which exposed members’ PHI, including dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service, and insurance information.
For some individuals, their Social Security numbers and financial information may also have been exposed.
“To date, we are not aware of any reports of identity fraud, theft, or improper use of information as a direct result of this incident. However, we want to make impacted individuals aware of the situation, so they can take precautionary measures to protect their health information,” the company said in a statement.
Sangamo Exec's Email Account Was Compromised for 11 Weeks
Sangamo Therapeutics, a Richmond, California-based gene therapy firm, reported to the Securities and Exchange Commission a breach in which a senior executive’s corporate email account was compromised, resulting in the possible disclosure of proprietary, confidential, and other sensitive information from the company.
The executive’s email account remained compromised for 11 weeks before the breach was discovered.
However, patient information was not disclosed, and the company’s network and other IT systems were not compromised, concluded third-party network security experts hired by the firm.
“The company is continuing to analyze the effects of the incident, along with appropriate remediation of the company’s information technology systems, and that analysis and the related remediation efforts could ultimately reveal that other company information technology systems were compromised and/or that additional information was revealed or compromised,” the SEC Form 8-K related.
An employee with Carolina Digestive Health Associates (CDHA) stole names, Social Security numbers, and dates of birth of around 100 patients and provided them to fraud suspects, according to a report by WSOCTV.com.
One of the individuals, Demonte Winthers, was under federal investigation for his role in an identity theft ring, the report noted.
Charlotte, North Carolina-based CDHA issued a statement confirming the breach. The healthcare provider said it was informed about the breach on January 10 by the Charlotte-Mecklenburg Police Department.
The police asked CDHA to delay notifying patients while it was investigating the incident. CDHA said the employee has since been fired.
“CDHA takes the security of all patient information very seriously and is taking steps to prevent a similar event from occurring in the future, including restricting employee access to patients’ sensitive information, and increasing the monitoring and auditing of access to patient records,” the healthcare provider said in the statement.
Another healthcare provider has been affected by the data breach at FastHealth, a healthcare website services provider that has admitted to a breach of its server.
War Memorial Hospital (WMH) community members have received letters from FasthHealth informing them of the breach, reported TV6 in Upper Michigan.
Last month, Curry Health Network in southern Oregon said that it had been informed that an unauthorized third party had access FastHealth’s server, which contained information in the CHN employment application form.
“This potential breach of information of the FastHealth servers is unfortunate. WMH discontinued contracted services in 2013. We take the privacy of community members, employees and patients very seriously,” said WMH CEO David Jahn.
The FastHealth server contained information submitted on the WMH employment application forms, from which information may have been accessed, the reported noted.
The compromised information did not include PHI, such as medical records, patient portal data, online bill pay information such as credit card or bank account, or any other forms on the website or linked to/from the website.