DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

QuadMed health records system issue affected onsite clinics of three clients

Posted on March 1, 2018 by Dissent

One of the incidents reported to HHS this month was an incident reported by QuadMed in Wisconsin. Today, I finally found some documentation as to what that incident was all about.

As background, QuadMed describes itself as providing occupational health and primary care services to some clients. In some cases, they may take over an onsite clinic at a client’s. When that happens, QuadMed and the client may agree or arrange that health-related information from the clinic will be stored in a shared records system that both QuadMed and some of the client’s employees can access.

And that’s pretty much what they did with three of their clients: Hillenbrand, Stoughton Trailers and the Whirlpool Corporation.

QuadMed took over the Hillenbrand onsite clinic on November 7, 2013. According to a statement they issued, on December 26, 2017, QuadMed became aware of a potential technical issue that enabled Hillenbrand employees to access more information than they should have been able to access.  Whether that unintended access existed since November 2013 was not clear, but that information included employees’ name, date(s) of services or treatment at the onsite clinic, and medical information, such as test or evaluation results, diagnoses, and information related to medical history, examinations, physicals, screenings, vaccinations, travel medicine, and/or workers’ compensation information.

In response to the incident, QuadMed and Hillenbrand implemented new administrative and technical controls and re-educated employees on HIPAA.

QuadMed also took over the Stoughton Trailers onsite clinic. According to their statement, on December 26, 2017, QuadMed also became aware of the potential technical issue with access to that clinic’s record system (as with the Hillenbrand situation). Their investigation determined that certain Stoughton Trailers’ employees had access to more information in that system, as well as through other electronic means, than should have been permissible since May 9, 2016.

Starting in January 2017, QuadMed also took over the onsite clinic at Whirlpool Corporation’s Clyde, Ohio plant.  On February 6, 2017, QuadMed recognized that there was an issue, and according to their statement, was working to investigate and then remedy the issue since that time. “In October 2017,” they write,  “QuadMed was granted with the needed level of system access to more thoroughly investigate the issue. QuadMed subsequently determined this notification was appropriate.”

QuadMed’s report to HHS indicated that 4,549 patients were affected.

 

No related posts.

Category: Breach IncidentsExposure

Post navigation

← Tufts Health Plan notifies 70,320 members after vendor error exposes information in envelope window
Amazon Releases New Guidance on AWS and FERPA →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.