Online Security Breach Exposes PHI of 5K Medicaid Patients
June 15, 2017 – On April 7, 2017, officials from the Mississippi Division of Medicaid (DOM) discovered evidence of a potential online security breach exposing the PHI of approximately 5,220 patients. An investigation into the incident revealed the potential PHI exposure lasted between May 2, 2014 and April 10, 2017, and included patient names, dates of birth, addresses, phone numbers, email addresses, admission and enrollment dates, health insurer names, conditions, Social Security numbers, and Medicare and Medicaid identification numbers. The security breach occurred as a result of a problem with the online service the agency uses to create forms for its website. Information contained in online forms submitted to the website were not transmitted securely resulting in the possible exposure of any information in the forms.
However, investigators determined emails and accompanying information were stored securely once received. According to DOM, the incident had no effect on any individual s eligibility determination or Medicaid benefits.
DOM has since removed all online forms from its website and no longer uses the online form service involved in the incident. DOM added it is strengthening existing technological safeguards and revising policies and procedures related to privacy and security regulations to avoid similar incidents in the future.
There is no reason to believe any information was compromised during the occurrence, DOM maintained, but the agency is informing individuals as required.
It is highly unlikely that the data was compromised, since the typical Internet user would not know how to capture it during transmission, said DOM security officer Keith Robinson in a public statement. The data storage was secured both at the originating source and the destination [DOM], reducing the risk of the data being compromised. To date, the agency has no evidence to suggest unauthorized use or access of PHI has occurred as a result of the incident.
Connecticut health organization breach potentially impacts over 1K
Sound Community Services, Inc. recently informed current and former patients of a security incident involving the unauthorized access of a Sound employee email account. Sound found evidence of suspicious activity in an employee email account on January 13, 2017 and immediately launched an investigation into the incident. The provider determined that an unauthorized individual had gained access to the account on or around January 12, 2017.
The health organization began notifying potentially impacted individuals of the breach on April 18, 2017. The information of 1,278 individuals was potentially accessed in the breach, according to the OCR data breach reporting tool.
Potentially viewed information includes patient name and client numbers. Additionally, referral information relating to one individual may have been accessible to the unauthorized individual. However, Sound stated no evidence exists at this time suggesting any patient information was accessed or misused in any way.
The organization stated potentially affected individuals can expect to receive further information regarding the incident as well as access to two years of free identity theft protection services.
Medical device stolen from St. Louis medical group
SSM Health Medical Group recently informed all patients who had an electro diagnostic study in Dr. Syed Khader s office of a security breach. The incident occurred at some point between the night of April 12, 2017 and the morning of April 13, 2017. The breach was discovered when an SSM Health employee noticed a component of an electromyography (EMG) medical device was missing from SSM Health Orthpedics at DePaul Hospital. The theft was immediately reported to the Bridgeton Police Department and an investigation is currently underway.
According to the OCR data breach reporting tool, 836 patients were potentially impacted in the incident. SSM officials stated the stolen medical device was used only for patients of Dr. Syed Khader. Information contained on the device included patient names, dates of birth, medical record numbers, and chief complaints.
We do not believe you are at risk for identity theft based on the limited information stored on the device, stated SSM officials in a notice issued to potentially impacted patients. We can assure you that the device did not contain your Social Security number, address, phone number or financial information of any kind. It is likely that the purpose of the theft was to steal the medical device, which resembles a laptop computer, and not health information.
The Missouri health organization stated there currently exists no evidence suggesting the health information contained on the medical device has been accessed or misused in any way. As a result of the incident, SSM has tightened its security controls through written procedures and further staff training regarding management of patient information.
Medical devices stolen from 2 Southwest Community Health Center sites
On April 8, 2017, Southwest Community Health Center experienced a break in at its Fairfield Avenue location where four desktop computers, one laptop, and other miscellaneous items were stolen. The health center also fell victim to another break in at a separate location on April 14, 2017, during which two laptops and other miscellaneous items were stolen.
Southwest security alarms were activated in response to the incident and security and law enforcement immediately arrived at the scene. According to a preliminary investigation, some PHI may have been contained on the local drives or in email accounts locally stored on the devices. However, health center officials stated there exists no evidence suggesting the individuals that stole the device intend to misuse the information for fraud.
According to the investigation, patient information including names, bank account numbers, Social Security numbers, and medical information such as diagnoses and insurance information may have been included on the stolen devices. Southwest is issuing advisory notices to all potentially impacted individuals including information regarding how concerned individuals can protect themselves against identity theft and fraud. Additionally, the health center is providing potentially impacted patients with access to free identity monitoring and restoration services.
Southwest has not revealed how many individuals were potentially affected by the breach.
Hard drive containing patient information stolen from Washington State University
Washington State University (WSU) recently suffered a data breach in which a locked safe containing a hard drive was stolen. On April 21, 2017, WSU became aware of a theft involving a hard drive used to store back up files from a server. The hard drive belonged to WSU s Social & Economic Sciences Research Center (SESRC). WSU immediately launched an internal investigation and notified law enforcement of the theft.
Through the investigation, WSU confirmed the stolen hard drive contained personal information from survey participants and has enlisted the help of a computer forensics firm to further assist. Information contained on the drive included survey participants names, Social Security numbers, and some personal health information. Potentially impacted individuals include those who provided data to SESRC, such as members of school districts, community colleges, and other costumers.
WSU is notifying potentially impacted individuals of the breach and offering free credit monitoring and identity theft protection services to concerned individuals.
The WSU statement did not say how many individuals were potentially affected by the incident.
Sign up to receive our newsletter and access our resources
- ^ April 7, 2017 (medicaid.ms.gov)
- ^ PHI Security Breach Potentially Affects 2K ND Medicaid Patients (healthitsecurity.com)
- ^ 5.5K Patients Affected in Children s Mercy Security Incident (healthitsecurity.com)
- ^ security incident (www.soundcommunityservices.org)
- ^ Unauthorized PHI Access at Coney Island Hospital Impacts 3.4K (healthitsecurity.com)
- ^ security breach (www.ssmhealth.com)
- ^ April 8, 2017 (www.swchc.org)
- ^ suffered a data breach (wsu.edu)