Randolph Health and Rutgers Robert Wood Johnson Medical School have recently reported email incidents involving the unauthorized access/disclosure of patient information.

Randolph Health

American Healthcare Systems LLC, doing business as Randolph Health in North Carolina, discovered a compromised employee email account on February 14, 2024. The email account was immediately secured to prevent further unauthorized access and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, and the review of the account confirmed that files were present that contained the protected health information of 899 patients.

The exposed data included full names, dates of birth, medical record numbers, health insurance identification numbers, and diagnosis codes. Randolph Health said it was not possible to tell if any of those files were accessed or acquired, so notification letters were sent to all potentially affected individuals. Randolph Health said it is committed to maintaining the privacy of personal information and has taken additional steps to improve security and will continue to evaluate its security practices.

Rutgers Robert Wood Johnson Medical School

Rutgers Robert Wood Johnson Medical School in New Brunswick, NJ, has identified an email incident involving the protected health information of 543 patients. On February 1, 2024, the medical school discovered a former employee had emailed patient data from their work email account to a personal email account. Several files had been emailed that included spreadsheets containing patient data, including patient names, medical record numbers, treatment information, and prescription information. The information was sent to the personal email account on January 19, 2024.

The affected individuals were notified by mail on April 1, 2024, and the matter has been reported to law enforcement for investigation and appropriate action. The affected individuals have been advised to monitor the statements they received from their healthcare providers and health insurance plan for any services that were not received, and if they are found, to report it to the relevant provider or health plan.

The post Email Incidents Reported by Randolph Health & Rutgers Robert Wood Johnson Medical School appeared first on HIPAA Journal.

Cyberattacks have been reported by Cattaraugus-Allegany Board of Cooperative Education Services and the Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA. Highmark has discovered a database error that resulted in letters being mailed to incorrect addresses.

Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack Affects 15,203 Medical Plan Members

Cattaraugus-Allegany Board of Cooperative Education Services (CABOCES) in southwestern New York has fallen victim to “a sophisticated cyberattack… that caused some of its internal tools, software, and servers to become temporarily unavailable.” CABOCES engaged third-party cybersecurity experts who confirmed that an unauthorized third party had access to its systems between July 5, 2023, and July 20, 2023. During that time, the attacker had access to the data of current and former employees who were members of the AC Schools Medical Health Plan.

The review of the affected files confirmed that they contained names, Social Security numbers, financial account information, driver’s license numbers, passport information, medical information, and/or health insurance information. Notifications started to be mailed to the 15,203 affected individuals on April 4, 2024.

Highmark Discovers Database Error Caused Letters to be Sent to Previous Addresses

Highmark has discovered that an August 2023 database update resulted in care and case management letters to members’ previous addresses. The error was identified and corrected in February 2024, letters; however, between August 2023 and February 2024, letters were inadvertently mailed to individuals’ previous addresses. The error only affected individuals who previously had a change of address – 5,356 individuals.

The letters included the individual’s name and Highmark identification number, and depending on the type of letter sent, may also have included a reference number, employer group name and number, date of birth, a service date range, a service or procedure code and description, medication name and dosage, and the provider or facility name.  Notification letters were sent to the affected individuals on April 2, 2024.

Highmark said the error has been fixed and additional controls have been implemented to prevent similar incidents in the future, including database changes to maintain the accuracy of member addresses, flags for the current active address, and validation checks to make sure that members have only one active address loaded to the database.

North Carolina Dental Practice Suffers Ransomware Attack

The Burlington, NC-based dentist, Mary H. Makhlouf, DMD, MS, PA, has recently announced that her practice was hit with a sophisticated ransomware attack on January 24, 2024. Upon detection, the network was immediately secured to prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the incident.

The investigation uncovered evidence that portions of patient files were subject to unauthorized access. While it has not yet been possible to determine exactly what information was accessed or copied from the network, the exposed files contained names and one or more of the following types of information: address, phone number, email address, date of birth, Social Security Number, driver’s license/state ID number, financial account information, treatment/diagnosis information, prescription information, provider name, medical record/case number, Medicare/Medicaid ID number, health insurance information, and treatment cost.

Notification letters will shortly be mailed to the affected individuals once up-to-date address information has been obtained. The breach has recently been reported to the HHS’ Office for Civil Rights as affecting up to 1,797 individuals.

The post Health Plan Data Exposed in Cattaraugus-Allegany Board of Cooperative Education Services Cyberattack appeared first on HIPAA Journal.