21,000 Patients Affected by Breaches at Pasquotank-Camden Emergency Medical Services and Oklahoma Heart Hospital

Pasquotank-Camden Emergency Medical Services (PCEMS) found out that hackers gained access to its server where its billing system is located. The protected health information (PHI) of 20,420 patients are contained in this location.

Because of the attack, the hackers possibly accessed the highly sensitive data of persons who acquired healthcare services from PCEMS in the past.

The server stored the following types of information: names, dates of birth, Social Security numbers, and a number of medical data that PCEMS collected.

PCEMS reported the breach immediately to the Pasquotank County Sheriff and federal police authorities, who established the location of the hackers outside the U.S. There is no proof found to suggest the theft of patients’ PHI. There’s also no report received that indicate the misuse of patient information up to the time of issuance of the notification letters to patients.

Given that it cannot be 100% certain there’s no data theft, PCEMS offered free credit monitoring and identity theft protection services to all affected patients for 12 months through ID Experts. There is also coverage for the affected patients thanks to the $1,000,000 insurance reimbursement policy. But availing these services is not automatic. Affected patients must register for these services on or before May 26, 2019.

PCEMS is currently going over its cybersecurity defenses and is going to take action to improve cybersecurity and prevent the same breaches later on.

Another potential ePHI breach is reported by Oklahoma Heart Hospital. The hospital is informing 1,221 patients about the potential compromise of some of their PHI that were stored in stolen desktop computers on January.

The theft of four desktop computers happened at the outpatient clinic of Mercy Hospital in Oklahoma City, OK. At that time, Oklahoma Heart Hospital was relocating in those offices.

Because the computers were not encrypted, it is possible that the thieves accessed the patient information that were contained in stored email messages that were sent in internal communications between hospital employees. The patients’ only included names, phone numbers, addresses, birth dates, and clinical data that include blood pressure records and laboratory values. Medical data are kept on a protected server and were not compromised.

Oklahoma Heart Hospital already adjusted its policies and procedures to avoid the same breaches down the road.