Thousands of medical records have been found abandoned in a publicly accessible dumpster in Texas. The boxes contain records of Today’s Vision patients and employees and include paperwork containing highly sensitive information.

Today’s Vision has more than 50 independently owned and operated optometry clinics throughout Texas. Most of the records appear to have come from Today’s Vision in Willowbrook in northwest Houston. The Willowbrook location is no longer operational and was sold to MyEyeDr three months ago.

Dr. Donald Glenz owned and ran both the Willowbrook and Tomball Today’s Vision offices, prior to the sale to MyEyeDr in February. Dr. Glenz is unaware how the files came to be dumped and who is responsible. Dr. Glenz told KPRC that the incident is being investigated to determine who was responsible. Prior to any records being deleted they are usually shredded in accordance with HIPAA requirements but that did not occur in this instance. Today’s Vision executive director Greg Watson described the discovery as ‘disturbing.’

The incident is also being investigated by MyEyeDr and the Department of Health and Human Services is working closely with the police department and is investigating the HIPAA violation.

Over 20 boxes of records were discovered in a dumpster behind the strip mall in Tomball, which is several miles away from the offices where the records were held. The boxes have been recovered by Tomball Police department and are being securely stored.

The records appear to relate to patients who received vision services between 1997 and 2013 and staff who served at Willowbrook location in the same time period.

The types of information in the paperwork include names, addresses, phone numbers, payment information, insurance information, limited health histories, and Social Security numbers. Employee information includes work related information such as resumes, immigration status, vacation requests, payment information, and some personal information.

The post Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster appeared first on HIPAA Journal.

The email accounts of several employees of Medford, OR-based Hematology Oncology Associates. P.C. have been compromised as a result of responses to phishing emails. The phishing attack was detected on March 19, 2018, although the investigation revealed the first account was breached on December 18, 2018. Further accounts were compromised up until February 22, 2019.

Third-party computer forensics experts were retained to investigate the breach, but it was not possible to determine which, if any, emails and attachments had been opened by the attackers.

The breach investigation was concluded on April 20 and confirmed that some of the emails and attachments in the compromised accounts contained patients’ protected health information.

A password reset has been performed to prevent further unauthorized access and additional security awareness training will be provided to employees.

The breach has been reported to the HHS’ Office for Civil Rights and state attorneys general and affected individuals have been offered free membership to Experian’s IdentityWorks credit monitoring and identity theft protection services.

It is currently unclear how many people have been affected by the breach.

Former Penn Medicine Employee Accused of Accessing and Misusing Patient Information

A former medical assistant at Penn Medicine has been accused of accessing patient information without authorization and misusing the information of at least one patient.

The contract employee had been hired through a staffing agency and worked at Penn Medicine between February and April 2019. Penn Medicine learned on April 29, 2019 that the employee had accessed patient information without any legitimate work reason for doing so.

The types of information that could have been viewed included names, demographic information, clinical information and, for certain patients, Social Security numbers. In total, the former employee had accessed 900 patient records during the 3 months of employment.

Penn Medicine spokesperson Lauren Steinfeld issued a statement saying Penn Medicine is aware of one patient whose PHI had been misused, although the nature of that misuse was not disclosed.

All 900 patients have now been notified about the privacy breach. Penn Medicine is also reviewing its use of contractors and staffing agencies and will be taking steps to ensure all employees maintain high professional standards.

The post Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached appeared first on HIPAA Journal.

Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email.

The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password.

The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft.

The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed.

Individuals affected by the breach are being notified and have been told to be alert to the possibility of misuse of their personal information and to carefully monitor their explanation of benefits statements and other account statements for unfamiliar charges or items.

This is the second successful phishing attack on CTCA to be reported in the past 6 months. In December 2018, an employee’s email account was compromised which contained the protected health information of 41,948 patients.

The breach occurred on May 2, 2018, CTCA was informed about the breach on September 26, 2018, and the breach was announced in early December. In that incident, the account was accessible for less than a day.

In response to the latest incident, further email security enhancements are being evaluated and CTCA is continuing to reinforce security awareness training and is ensuring employees know how to recognize phishing emails.

It is currently unclear how many individuals have been affected by the latest breach. The security breach has been reported to the Vermont Attorney General, but the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.

The post Another Phishing Attack Reported by Cancer Treatment Centers of America appeared first on HIPAA Journal.

Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach.

According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information.

Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused.

Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to credit monitoring and associated services at no cost.

Steps have been taken to improve email security including the use of a new, secure portal for the delivery of emails from external sources, additional malware blocking measures, a suspicious email reporting system, encryption of outgoing emails, and the provision of further security awareness training to employees. Notifications have also been set up to alert employees if they are attempting to send emails containing unencrypted sensitive information.

This is the second large data breach to be reported by MOHC in the past 2 years. In September 2017, MOHC announced that it was the victim of a ransomware attack that impacted 19,000 patients.

It is currently unclear how many patients have been affected by the latest security breach.

Health Net of California Mailing Error Results in Impermissible Disclosure of PHI

Health Net of California has discovered a coding error on a mailing has resulted in the impermissible disclosure of subscribers’ PHI.

The coding error was introduced on a mail merge which caused letters to be misaligned. As a result, the PHI of subscribers was printed on letters that were mailed to other subscribers. The coding error occurred on March 1 and affected mailings up until March 12, 2019.

As a result of the error, the following data elements were impermissibly disclosed: Name, date of birth, Health Net ID number, health plan name, group number, dependents’ names and ages, primary care physician’s name and address, and the last four digits of dependents’ social security numbers.

Health Net of California identified and corrected the coding error and has implemented additional procedures for future mailings, including several testing scenarios and the use of a checklist to make sure errors are found and corrected prior to letters being mailed.

It is currently unclear how many subscribers have been affected.

American Medical Response Alerts Patients About Email Breach

American Medical Response, a Greenwood Village, CO-based provider of emergency and patient relocation services, has discovered an unauthorized individual has gained access to the PHI of 4,300 patients who had previously used its ambulance service.

The information was contained in employee email accounts that were compromised as a result of a phishing attack. The compromised email accounts contained names, addresses, dates of birth, Social Security numbers, health insurance identifiers, and diagnostic and treatment information. The breach was limited to email accounts and no other systems or databases were subjected to unauthorized access.

While patients’ protected health information was potentially accessed, no reports have been received to suggest any patient information has been misused.

All patients affected by the breach have been notified by mail and have been offered complimentary credit monitoring services. American Medical Response has implemented additional security measures to reduce the risk of further email account breaches and employees have been provided with additional security awareness training.

Bloodworks Northwest Notifies Patients of PHI Exposure

The Seattle, WA-based blood bank and medical research institute, Bloodworks Northwest, is alerting 1,893 patients that some of their PHI has been exposed and potentially stolen.

On March 13, 2019, Bloodworks discovered a list containing patients’ names, dates of birth, and medical diagnoses had gone missing from an employee’s desk. Despite a search being performed, the list could not be located.

Peculiarly, the Notice of Data Privacy Event on the Bloodworks website says “While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.”

It is unclear whether this is an error or if an email account was also compromised. The breach report submitted to the HHS’ Office for Civil Rights suggests the breach solely involved the loss of paperwork.

The post Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach appeared first on HIPAA Journal.

Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach.

According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information.

Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused.

Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to credit monitoring and associated services at no cost.

Steps have been taken to improve email security including the use of a new, secure portal for the delivery of emails from external sources, additional malware blocking measures, a suspicious email reporting system, encryption of outgoing emails, and the provision of further security awareness training to employees. Notifications have also been set up to alert employees if they are attempting to send emails containing unencrypted sensitive information.

This is the second large data breach to be reported by MOHC in the past 2 years. In September 2017, MOHC announced that it was the victim of a ransomware attack that impacted 19,000 patients.

It is currently unclear how many patients have been affected by the latest security breach.

Health Net of California Mailing Error Results in Impermissible Disclosure of PHI

Health Net of California has discovered a coding error on a mailing has resulted in the impermissible disclosure of subscribers’ PHI.

The coding error was introduced on a mail merge which caused letters to be misaligned. As a result, the PHI of subscribers was printed on letters that were mailed to other subscribers. The coding error occurred on March 1 and affected mailings up until March 12, 2019.

As a result of the error, the following data elements were impermissibly disclosed: Name, date of birth, Health Net ID number, health plan name, group number, dependents’ names and ages, primary care physician’s name and address, and the last four digits of dependents’ social security numbers.

Health Net of California identified and corrected the coding error and has implemented additional procedures for future mailings, including several testing scenarios and the use of a checklist to make sure errors are found and corrected prior to letters being mailed.

It is currently unclear how many subscribers have been affected.

American Medical Response Alerts Patients About Email Breach

American Medical Response, a Greenwood Village, CO-based provider of emergency and patient relocation services, has discovered an unauthorized individual has gained access to the PHI of 4,300 patients who had previously used its ambulance service.

The information was contained in employee email accounts that were compromised as a result of a phishing attack. The compromised email accounts contained names, addresses, dates of birth, Social Security numbers, health insurance identifiers, and diagnostic and treatment information. The breach was limited to email accounts and no other systems or databases were subjected to unauthorized access.

While patients’ protected health information was potentially accessed, no reports have been received to suggest any patient information has been misused.

All patients affected by the breach have been notified by mail and have been offered complimentary credit monitoring services. American Medical Response has implemented additional security measures to reduce the risk of further email account breaches and employees have been provided with additional security awareness training.

Bloodworks Northwest Notifies Patients of PHI Exposure

The Seattle, WA-based blood bank and medical research institute, Bloodworks Northwest, is alerting 1,893 patients that some of their PHI has been exposed and potentially stolen.

On March 13, 2019, Bloodworks discovered a list containing patients’ names, dates of birth, and medical diagnoses had gone missing from an employee’s desk. Despite a search being performed, the list could not be located.

Peculiarly, the Notice of Data Privacy Event on the Bloodworks website says “While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.”

It is unclear whether this is an error or if an email account was also compromised. The breach report submitted to the HHS’ Office for Civil Rights suggests the breach solely involved the loss of paperwork.

The post Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach appeared first on HIPAA Journal.

The Lubbock, TX-based medical group UMC Physicians is alerting patients of UMC Southwest Gastroenterology that some of their protected health information has been exposed as a result of errors of judgement by two of its employed providers.

Those providers had each set up a Google shared drive which was used to track follow up tasks related to the provision of care to patients. While the shared drives were set up with good intentions and were intended to help improve the care provided to patients, the providers used an unapproved cloud storage solution and patient data was inadvertently stored on an unsecured network.

UMC Physicians discovered the policy violation on March 12, 2019 and launched an investigation to determine which patients’ protected health information had been exposed. During the course of that investigation, UMC Physicians determined that one of the providers had also been forwarding emails containing patient information to an unsecured Gmail account.

The types of information that had been stored on the unsecured network and emailed to the Gmail account included names, addresses, telephone numbers, medical record numbers, dates of birth, dates of service, health insurance carriers, diagnoses, and medical procedures performed. Highly sensitive information such as Social Security numbers, insurance policy numbers, and financial information were not exposed.

In response to the discovery, UMC Physicians has provided additional training to employees on the use of approved cloud storage solutions and technical controls will be implemented to prevent unauthorized cloud storage solutions from being used in the future.

No evidence has been found to suggest patient information has been accessed by unauthorized individuals nor have any reports been received to indicate there has been misuse of patient information. All patients whose protected health information has been exposed have been notified of the breach by mail.

It is currently unclear exactly how many patients have been affected.

The post UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service appeared first on HIPAA Journal.