Health data breaches due to external actors continue to predominate recently.

Posted on by Dissent

Because I’m at a conference, it’s been hard to update a lot, but here are a few of the health data breaches I’ve spotted this week:

Main Line Endoscopy Centers in Pennsylvania announced that it recently mailed notifications to patients whose personal information was in an employee’s email account a t the time that the employee fell for  a phishing attack.  According to their report to HHS, 14,305 patients were notified.

They were not the only healthcare provider busy making notifications after compromise of office email accounts. The Oregon Endodontic Group reported that on November 13, 2018, they became aware of suspicious activity in the office’s email accounts. Investigation revealed that emotet malware had been downloaded onto the computer a few days previously. Investigation could not definitively rule out that patient protected health information had been exfiltrated. The ePHI included name and one or more of date of birth, treatment/diagnosis information or health insurance information for most of the affected individuals. In addition, name and Social Security number was included for 41 individuals, name and driver’s license number for 2 individuals, and name and financial account information for 7 individuals. The total number of individuals sent notification was not revealed.  The incident was reported to the Oregon Attorney General’s Office on April 2, but it’s not clear why it took so long to notify.

And then there was the Gifted Development Center, part of the Institute for Advanced Study of Development in Colorado, who reported that an office burglary on February 5, resulted in the theft of several computers containing children’s psychoeducational testing reports. If you’re not familiar with such evaluations, they contain a wealth of information.  As they explain:

Your child’s report describes our assessment of your child, which includes personal information such as name, date of birth, address, your names, comments about family and medical history, scores and observations from evaluations, diagnoses (both prior to and by our staff), school and education information, and recommendations for your child’s continued development. There are no Social Security numbers, driver’s licenses, or financial information included in your child’s report.
The number of children impacted was not disclosed.
And then there was also the Northeast Philadelphia Vascular Surgeons, P.C. in Pennsylvania, who notified 8,193 patients about a hacking/IT incident involving their server, but I haven’t gotten details on that one yet.
And did I mention that Gulfport Anesthesia Services of Mississippi notified HHS that 20,000 patients were impacted by theft?At first, I thought this might be the same incident reported more than one month earlier by Memorial Hospital in Gulfport, but they had reported 30,000 impacted by a phishing incident. Could it be the same incident just coded differently and with revised numbers? Perhaps. It’s hard to tell as the anesthesia group does not seem to have a web site and I have found no notification from them yet.
So how was your week?
And oh yes, I have more breaches involving health data to report.  I’m just trying to get caught up here as I can.
UPDATE:  The Gulfport Anesthesia incident involved the theft of patient records from an external storage facility.

Related:

Category: Breach IncidentsHackHealth DataMalwarePhishingU.S.