Data breaches have recently been reported by UC San Diego Health, Littleton Regional Healthcare, UT Southwestern Medical Center, and the Texas Health and Human Services Commission

UC San Diego Health Discloses January Phishing Attack

UC San Diego Health has recently notified the California Attorney General about a phishing attack that was discovered on January 9, 2024, which exposed the sensitive data of patients. Two Hillcrest Medical Center employees responded to the phishing emails and disclosed their credentials, which allowed their email accounts to be accessed by unauthorized individuals. UC San Diego Health said the email accounts were accessed for brief periods between January 9, 2024, and January 22, 2024.

A review of the exposed emails and attachments was completed on February 26, 2024, and confirmed that they contained patients’ protected health information such as names, Social Security numbers, and one or more of the following: mailing address; email address; date of birth; medical record number; health insurance information; treatment cost information; and/or clinical information, such as medications, provider name or diagnosis.

UC San Diego Health said it is enhancing its security controls and will continue to provide phishing prevention training and education to its employees. The affected individuals are being notified and are being offered complimentary credit monitoring and identity theft protection services.  It is currently unclear how many individuals have been affected.

Littleton Regional Healthcare Reports Email Error and the Impermissible Disclosure of Patient Information

Littleton Regional Healthcare in New Hampshire has recently reported a breach of the protected health information of 12,614 individuals. On January 2, 2024, an employee sent an email containing the names and dates of birth of patients to an individual who was not authorized to receive the information. That individual contacted Littleton Regional Healthcare the same day to report the error and confirmed that the information in the email had not been disclosed to anyone else and that the email had been deleted. Littleton Regional Healthcare has notified the affected individuals, reviewed appropriate policies and procedures, and has provided further training to employees to reduce the likelihood of similar errors in the future.

Texas Health and Human Services Commission Breach Affects More Than 3,300 Patients

The Texas Health and Human Services Commission (HHSC) has discovered an impermissible disclosure of the personal information of 3,392 individuals. On January 11, 2024, a member of staff emailed spreadsheets containing sensitive information to a personal email account. The spreadsheets contained the personal information of people who live in or around Tyler, Texarkana, Longview, Marshall, Beaumont, and Nacogdoches, and included full names, addresses, telephone numbers, financial information, health information, Medicaid numbers, and Social Security numbers. The spreadsheets were sent in several emails between September 2023 and October 2023.

The investigation into the breach concluded on February 2, 2024, and notification letters have now been mailed to the affected individuals, who have been offered 12 months of free credit monitoring services. HHSC said it has found no evidence to suggest that the spreadsheets have been shared with any other individuals or that the information has been misused. Additional training has been provided to the workforce to remind staff members of the importance of protecting confidential information.

UT Southwestern Medical Center Reports Software-Related Data Breach

UT Southwestern Medical Center has recently reported a breach to the Texas Attorney General that involved the protected health information of 2,094 individuals. Little information about the data breach has been disclosed at this stage, but the medical center has confirmed that the breach was not due to a cyberattack and was related to the internal use of unapproved software. The information that was involved included names, addresses, dates of birth, medical information, and health insurance information. UT Southwestern Medical Center individual notifications are currently being prepared and will be mailed shortly.

The post Patient Data Exposed in Phishing Attack on UC San Diego Health appeared first on HIPAA Journal.