Healthcare Data Privacy

September 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February.

Healthcare data breaches April to September

There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018.

Causes of September 2018 Healthcare Data Breaches

In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents.

September 2018 Healthcare Data Breaches - Causes

While there were fewer hacking/IT incidents than unauthorized access/disclosure incidents in September, they resulted in the exposure of more healthcare records. Six of the top ten healthcare data breaches in September were hacking/IT incidents.

Ten Largest Healthcare Data Breaches in September 2018

Covered Entity Entity Type Records Exposed Breach Type Location of PHI
WellCare Health Plans, Inc. Health Plan 26942 Unauthorized Access/Disclosure Paper/Films
Reliable Respiratory Healthcare Provider 21311 Hacking/IT Incident Email
Toyota Industries North America, Inc. Health Plan 19320 Hacking/IT Incident Email
Independence Blue Cross, LLC Business Associate 16762 Unauthorized Access/Disclosure Other
Ransom Memorial Hospital Healthcare Provider 14329 Hacking/IT Incident Email
Ohio Living Healthcare Provider 6510 Hacking/IT Incident Email
University of Michigan/Michigan Medicine Healthcare Provider 3624 Unauthorized Access/Disclosure Paper/Films
Reichert Prosthetics & Orthotics, LLC Healthcare Provider 3380 Theft Other Portable Electronic Device
J.A. Stokes Ltd. Healthcare Provider 3200 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
J&J Medical Service Network Inc. Business Associate 2500 Hacking/IT Incident Network Server

Location of Breached Protected Health Information

Over the past few months, email has been the most common location of breached PHI. September also saw a high number of email-related breaches reported – mostly due to phishing attacks – but the highest percentage of breaches involved paper records. There were 9 incidents involving unauthorized access/disclosure of paper records and one theft incident.

Data Breaches by Covered Entity Type

There was a 150% month-over-month rise in health plan data breaches in September, although healthcare providers were the worst affected with 17 healthcare data breaches reported in September 2018. While there were only 3 data breaches reported by business associates of HIPAA-covered entities, a further four breaches had some business associate involvement.

Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in September. Texas was the worst affected with four separate healthcare data breaches in September. There were three breaches reported by healthcare providers in Massachusetts and two reported breaches in California and Kansas. One breach was reported in Arizona, Colorado, Florida, Indiana, Michigan, Nebraska, New Jersey, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin.

HIPAA Enforcement Actions in September

After two months without any OCR financial penalties, OCR agreed settlements with three hospitals in September to resolve potential HIPAA violations. All three hospitals were alleged to have violated the HIPAA Privacy Rule by allowing an ABC film crew to record footage for the TV show “Boston Med.”

In all cases, OCR determined that patient privacy had been violated by allowing filming to take place without first obtaining patients’ consent. OCR also determined there had been failures to safeguard patients’ protected health information.

Massachusetts General Hospital agreed to a settlement of $515,000, Brigham and Women’s Hospital settled its case with OCR for $384,000, and Boston Medical Center paid OCR $100,000. New York Presbyterian Hospital had already settled its Boston Med-related case with OCR for $2.2 million in 2016.

State attorneys general also enforce HIPAA Rules and can issue fines for HIPAA violations. In September there was one settlement agreed with a state attorney general.  UMass Memorial Health Care paid $230,000 to Massachusetts to resolve alleged HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. In both cases, employees had accessed and copied PHI without authorization.

The post September 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

OIG Publishes 2016 Medicaid Data Breach Report

Posted by HIPAA Journal

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals.

For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches.

Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total.

While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the exposure of a Social Security number and just 23 involved financial information. Hackers may be responsible for a large percentage of healthcare data breaches, but there were only 9 hacking incidents reported in 2016 that resulted in the exposure of Medicaid data.

Image source: HHS Office of Inspector General

OIG explained that previous reviews have concentrated on identifying vulnerabilities in states’ information systems and controls, which could potentially be exploited to gain access to Medicaid systems and data. This review was concerned with the breach response when security incidents occur. An efficient breach response can limit the potential for harm such as identify theft.

In addition to an analysis of Medicaid data breaches, OIG also assessed the breach response policies and procedures in 50 states and the District of Columbia. OIG discovered a common breach reporting framework has been adopted by the majority of U.S. states, which covers investigations of breaches and their scope, the best way to respond to data breaches, how to protect breach victims, and identifying the actions to take to correct vulnerabilities to prevent future security incidents. OIG also assessed the responses to individual breaches in nine states to gain a better understanding of the breach response processes.

OIG noted that the breach response processes varied slightly from state to state, with all meeting the requirements of HIPAA as well as state-specific laws. While all breaches were reported to the HHS’ Office for Civil Rights to meet the requirements of the HIPAA Breach Notification Rule, many states failed to routinely notify the Centers for Medicare & Medicaid Services (CMS) separately, even though the CMS has required states to do so since 2006.

OIG suggests that this was likely due to the introduction of the HIPAA Breach Notification Rule in 2009.

The failure to report Medicaid breaches directly to the CMS hampers the agency’s ability to monitor data security issues nationally. This can make it harder to identify multi-state data breaches and determine when best practices and guidance need to be issued to correct common data security issues.

To correct the problem, OIG has recommended CMS should issue updated guidance for Medicaid agencies and their contractors and detail the circumstances that warrant a separate breach notification to be issued to the CMS.

CMS concurred with the recommendation, although did point out that the reporting requirements had been made clear in a 2006 State Medicaid Director Letter to Medicaid agencies and contractors.

The OIG report can be downloaded on this link (PDF, 2.1MB)

The post OIG Publishes 2016 Medicaid Data Breach Report appeared first on HIPAA Journal.

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

Posted by HIPAA Journal

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and have accessed files containing the sensitive information of approximately 75,000 individuals.

On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018.

While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details.

While the CMS has confirmed that the files have been accessed by unauthorized individuals, it is currently unclear whether any files were actually stolen by the attackers.

The investigation into the cyberattack is ongoing and the CMS is currently working on implementing new security controls to prevent further attacks. The Direct Enrollment system has been temporarily taken offline to allow the security updates to be applied. The CMS expects the system to be offline for about a week. It will be back online for the upcoming enrollment period that commences on November 1.

“Our number one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS Administrator Seema Verma.

The CMS notes that the attack only affected the system used by agents and brokers. There has not been a breach of the HealthCare.gov website which is used by consumers to personally sign up for health insurance coverage. “I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available,” said Verma.

The CMS will be sending notification letters to all individuals whose personal information has been exposed and will be providing further information on the steps they can take to prevent misuse of their data. The CMS will release further information about the breach as and when it becomes available.

The post CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System appeared first on HIPAA Journal.

Aetna Settles HIPAA Violation Case with State AGs

Posted by HIPAA Journal

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses.

A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches.

The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing.

In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the individual had been diagnosed with atrial fibrillation.

A multi-state investigation was launched to investigate potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws pertaining to the protected health information of state residents, including the Consumer Protection Procedures Act in DC and the New Jersey AIDS Assistance Act.

The investigation confirmed that in both cases there had been an impermissible disclosure of protected health information, that Aetna failed to protect consumers’ confidential health information, and that Aetna had deceived consumers about its ability to safeguard their health information.

Aetna has agreed to settlements with the State of Connecticut ($99,959), the District of Columbia ($175,000) and a civil monetary penalty of $365,211.59 will be paid to the State of New Jersey. Washington also participated in the investigation but has yet to decide on an appropriate settlement amount.

“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said New Jersey attorney general Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

“Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information,” said, District of Columbia attorney general Karl A. Racine.

The post Aetna Settles HIPAA Violation Case with State AGs appeared first on HIPAA Journal.

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

Posted by HIPAA Journal

This week, the Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing campaigns.

Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers.

Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing.

The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were secured to prevent further access.

It has taken a considerable amount of time to conduct the investigation and determine which patients have been affected. That process required every single email in each account to be checked for patient information, hence the delay in issuing breach notification letters.

Most of the individuals affected by the breach had previously interacted with the State Medical Review Team, although some individuals who had received services from Minnesota DHS Direct Care and Treatment facilities also had some of their PHI exposed.

The PHI in the compromised email accounts included full names, addresses, telephone numbers, birth dates, Social Security numbers, educational records, medical information, employment information, and financial information.

“We immediately took steps to secure these accounts, and currently have no evidence that any information was actually viewed, downloaded or misused,” explained Minnesota DHS in a statement about the breach. “We take data privacy very seriously at DHS, and continue to work with our employees and partners to prevent cyberattacks.”

The post Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised appeared first on HIPAA Journal.

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Posted by HIPAA Journal

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas.

The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11.

The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities have been waived for the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver only applies to qualifying hospitals in the emergency area for the period identified in the public health emergency declaration. Qualifying hospitals are permitted to take advantage of the waiver for up to 72 hours, provided their disaster protocol has been implemented.

The waiver is only in place for the 72-hour period or the duration of the public health emergency declaration, whichever terminates sooner. Once the 72-hour time period is over or the presidential or secretarial declaration terminates, the waiver ends, even for patients still under a hospital’s care.

“We are working closely with state health authorities and private sector partners from hospitals and other healthcare facilities to save lives and protect public health after Hurricane Michael,” said secretary Azar. The declarations will help to ensure that residents in both states have continuous access to the care they need.”

The HHS has said more than 400 medical and public health personnel have been moved into the disaster areas along with caches of medical equipment and a further 300 personnel from the National Disaster Medical Systems and the U.S. Public Health Service Commissioned Corps have been placed on alert. HHS teams will be providing medical services in shelters, assisting with disease surveillance, offering behavioral support to residents and responders, and will be helping to assess whether further federal medical and health support is required in the disaster areas.

HHS guidance on hurricane preparedness, response and recovery can be found here.

The post HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia appeared first on HIPAA Journal.

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

Posted by HIPAA Journal

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss.

The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco.

In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information.

A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities.

It was alleged that the failure to ensure its system was secure meant that any information entered in the portal by patients was at risk of exposure and could potentially be obtained by unauthorized individuals. In November 2016, four months after the system went live, A.J. Boggs & Company took the system offline to correct the flaws.

However, in February 2017, the California Department of Health discovered that the flaws in its portal had been exploited and unauthorized individuals had gained access to the system and had downloaded the private and highly sensitive information of 93 patients with HIV or AIDS. Following the discovery, the contract with the firm was cancelled and a new state-run system was adopted.

The ADAP program provides states with federal funding to provide financial assistance to low-income individuals with HIV or AIDS to make HIV medications more affordable, extending access to Medicaid when patients earned too much. Any medical data breach is serious, although the disclosure of an individual’s HIV status is especially so.

“HIV is still a highly stigmatized medical condition,” said Scott Schoettes, HIV Project Director at Lambda Legal. “When members of already vulnerable communities — transgender people, women, people of color, undocumented people, individuals with low incomes — already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”

Lambda Legal is seeking statutory and compensatory damages for the patient and is seeking class action status to allow the other 92 breach victims to be included in the lawsuit.

The post California HIV Patient PHI Breach Lawsuit Allowed to Move Forward appeared first on HIPAA Journal.

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

Posted by HIPAA Journal

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices to help medical device manufacturers improve the security of their devices and help healthcare provider organizations improve security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way.

The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete.

HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the National Health Service in the UK was badly affected and had its systems crippled.

Later in 2017, the Healthcare Industry Cybersecurity Task Force, which was set up following the passing of the Cybersecurity Act of 2015, submitted a report to Congress that included more than 200 recommendations for improving healthcare cybersecurity and preventing cyberattacks on healthcare organizations from succeeding.

Since the report was released, scores of healthcare industry stakeholders have joined the HSCC Cybersecurity Working Groups and Task Groups and have been working toward strengthening cybersecurity in the healthcare industry and improving privacy protections for patients.

HSCC held a multi-stakeholder meeting in February 2018 to improve coordination of efforts to address cybersecurity challenges and the HHS held a meeting in June 2018 where members of the HSCC Cybersecurity Working Group provided an update on progress and received further direction on key priorities.

HSCC notes that there is considerable momentum and great strides are being taken to improve healthcare cybersecurity. As detailed in September’s National Cyber Strategy, policymakers within the Administration and Congress are addressing cybersecurity threats and state that the government will work closely with the private sector to manage risks to critical infrastructure, including healthcare.

The Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (H.R. 6378) now contains cybersecurity provisions and requires the HHS to submit its strategy to Congress for public health preparedness and response to address cybersecurity threats. A joint table-top exercise will also be conducted with the HHS covering a simultaneous flu pandemic and cascading ransomware attack.

“We recognize that patient safety has taken on a new dimension that demands our attention – the recognition that patient security requires cybersecurity,” explained HSCC. “The health sector is now organized and working to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic.”

The post Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC appeared first on HIPAA Journal.

Summary of Recent Healthcare Data Breaches

Posted by HIPAA Journal

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities.

Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection

The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection.

On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data.

The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab test results, medications, driver’s license numbers, insurance billing information, bank routing numbers, bank account numbers, employee payroll data, and for Medicare patients, Social Security numbers.

Tillamook Chiropractic Clinic removed the malware on August 3, 2018 and has now modernized and upgraded its computer security systems and policies.

Gwinnett Medical Center Investigating Possible Hack

A possible data breach has occurred at Lawrenceville, GA-based Gwinnett Medical Center. The PHI of approximately 40 patients has been accessed by an unauthorized individual according to Gwinnett Medical Center spokeswoman Beth Hardy. Names, genders, and dates of birth were exposed on Twitter and notification letters are being sent to those 40 individuals to alert them to the breach.

However, the breach could be far larger. Steve Ragan at Salted Hash reported that a source at the medical center said threats had been received from the attackers and that the breach potentially impacts hundreds of patients. The attackers allegedly posted data on Twitter as they claimed the medical center was attempting to cover up the breach.

Gwinnett Medical Center has informed the FBI about the security breach and is still conducting investigations into the cyberattack.

Hardy said, “GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data.”

Toyota Industries North America Breach Impacts 19,000 Individuals

Columbus, IN-based Toyota Industries North America (TINA) has announced that approximately 19,000 current and former employees and health plan participants of the TINA family of companies have been informed that some of their PHI has been exposed. An unauthorized individual succeeded in gaining access to a small number of company email accounts and potentially viewed/copied PHI.

The breach was discovered on August 30 and information security experts were called in to help secure its system and investigate the breach. A wide range of PII and PHI were present in the compromised email accounts including first and last names, home addresses, dates of birth, phone numbers, financial account information, social security numbers, photographs of social security cards, driver’s license numbers, photographs of driver’s licenses, email addresses, photographs of birth certificates, photographs of passports, treatment information, prescription information, diagnoses, health plan beneficiary numbers and portal usernames, passwords and security questions.

All affected individuals have been notified by mail and have been offered a year of free credit monitoring and identity theft protection services. TINA has taken several steps following the breach to improve security, including implementing multi-factor authentication, making real-time security monitoring enhancements, and revising its password protection and password resetting policies. TINA is also currently reviewing and updating user training and technology and security practices to reduce the risk of further email breaches.

722 Patients Affected by Kansas City Business Associate Mis-mailing Incident

The Kansas City, MO-based revenue cycle management company, Pulse Systems, has announced that the PHI of 722 patients of Lincoln Pulmonary and Critical Care in Nebraska has been impermissibly disclosed. An error was made sending statements on July 27 that resulted in individuals receiving statements intended for other patients. The statements included only included names and procedure information. Steps have now been taken to prevent similar errors from being made in the future and all affected individuals have been notified about the privacy breach.

Oklahoma Department of Human Services Mis-mailing Incident Affects 813 Individuals

More than 800 parents and guardians who were involved in a developmental disabilities services program run by the Oklahoma Department of Human Services (ODHS) have been notified that some of their PHI has been impermissibly disclosed as a result of a computer software error. The error resulted in envelopes being mis-addressed in Plan of Care change notice mailings sent between May 17 and July 25.

The mailings contained names, addresses, DHS case numbers, Medicaid client ID numbers, plan of care numbers, providers’ names, services authorized and beginning and end dates, and an explanation that the person is authorized to receive Medicaid Home and Community-Based Waiver Services. No Social Security numbers were disclosed.

ODHS believes 813 individuals have received mailings containing someone else’s information, although it is not possible to tell if any other individuals have been affected.

Email Account Breaches Result in Exposure of 16,000 Individuals’ PHI

Ransom Memorial Hospital in Ottawa, KS, has discovered an unauthorized individual has gained access to an as of yet undisclosed number of email accounts which have been determined to contain the PHI of 14,239 individuals. A further email account breach was detected by Lakewood, CO-based Personal Assistance Services of Colorado, which has resulted in the exposure of 1,839 individuals’ PHI.

The post Summary of Recent Healthcare Data Breaches appeared first on HIPAA Journal.