DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Wentworth-Douglass reports insider breach at business associate, Ambucor (UPDATE5)

Posted on November 21, 2016 by Dissent

First it was Carolina Cardiology Consultants disclosing that 2500 of their patients had been affected by a breach at their business associate, Ambucor.  Then it was Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) notifying HHS that 537 of their patients had been affected by Ambucor’s incident. Now it’s Wentworth-Douglass Hospital notifying 775 of their patients of the breach. Fosters reports:

Ambucor discovered recently that thumb drives recovered from one of its former employees contained personal information of thousands of patients nationwide, including 775 WDH patients.

The personal information did not include Social Security numbers or credit card, insurance, Medicaid/Medicare or other financial information.

The personal information may have included patient’s name, date of birth, home address, phone number, medications, race, testing data, patient identification number, medical device information such as the manufacturer, diagnosis, Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s), and the name and address of the practice where the patient was seen.

Read more on Fosters.

A copy of Ambucor’s notification to Lebanon Cardiology’s patients, provided to DataBreaches.net by WellSpan, indicates that the employee misconduct occurred in March, 2016, but Ambucor did not discover it until July, when according to a statement from Greenville Health System, Ambucor, was informed by law enforcement, who gave them the thumb drives with patient information.

In July, when Ambucor reported the incident to HHS, they reported 1,679 patients were affected. So far, we have 3,812 patients for the three entities mentioned in this post, so it’s not clear what the total number really is for this incident. DataBreaches.net has sent an inquiry to Ambucor, and will update this post if more information becomes available.

Update: It seems that 4,500 Main Line Health patients were also notified of the breach earlier this month, although I don’t see any notification on HHS at this time. Main Line also reports that the former employee is currently incarcerated.   In addition to Main Line Health, also add the following entities whose patients have also been notified of the Ambucor incident:

Stony Brook Internists, University Faculty Practice Corporation (UFPC), whose notice does not indicate the number of patients, but notes that the employee’s incarceration is on unrelated charges;

 Lenox Hill Heart and Vascular Institute, whose notice does not indicate the number of patients;

Pikeville Medical Center, whose notice in June is no longer available online; and

Conemaugh Physician Group Cardiology, whose notice does not indicate the number of patients.

As I come across others, I’ll add them to this post.

Update 2: Add Berkshire Medical Center (Cardiology Services) to the list. All of their 1,745 patients were notified.

Update 3: Add New Mexico Heart Institute, who had 4100 patients to notify.

Update 4: Add Cleveland Clinic Akron General, who are notifying 730 patients.

Ambucor has not responded to the inquiry sent to them asking for a fuller disclosure as to how many patients, total, have been notified of this incident.

Update 5: I was able to locate the Pikeville Medical Center news coverage of the incident. Somewhat surprisingly, it was in their June 3 newsletter and said they had been recently notified. How could that be when Ambucor supposedly didn’t find out about the breach until around July 1 when law enforcement notified them? Perhaps they were notified by law enforcement earlier but did not recover the thumb drives from law enforcement until July?

Related posts:

  • Business associate breach affected Greenville Health System patients
Category: Breach IncidentsHealth DataInsiderOf NoteU.S.

Post navigation

← Atlantis, Paradise Island Provides Notice of Data Security Incident
Former Owner of Florida Pharmacy Convicted at Trial of $700,000 Medicare Fraud Scheme →

2 thoughts on “Wentworth-Douglass reports insider breach at business associate, Ambucor (UPDATE5)”

  1. Marianne says:
    November 28, 2016 at 6:15 pm

    This information may be wrong only because I received a letter from them stating that the hack did include social security numbers…basically they said they have everything but a credit or debit number or medical insurance or medicare or medicaid numbers.

    1. Dissent says:
      November 28, 2016 at 6:49 pm

      You received a letter from Wentworth-Douglass that said SSN *were* included, or from Ambucor? I uploaded Ambucor’s letter and it says no SSN, so who told you SSN were included? Can you scan it in?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.