Connecticut -based Saint Francis Healthcare Partners is contacting 38,529 patients to make them aware that some of their protected health information may have been obtained by cybercriminals due to a “sophisticated cybersecurity incident” that allowed an unauthorized person to gain access to its email system.
The attack took place on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially exfiltrated. The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial details or Social Security numbers were impacted.
The investigation found no proof of patient information being accessed, stolen, or misused. Measures have now been implemented to improve data security practices and all affected patients have been notified by mail.
Florida Internal Medicine Practice Hit by Ransomware Attack
Daniel Bendetowicz, MD, PA is alerting 3,314 patients that their protected health information has been infiltrated due to a ransomware attack. The attack took place on March 25, 2020 resulting in the encryption of its computer systems, including patient records. Backup files were not impacyted so files could be recovered without meeting the ransom.
In these types of ransomware attacks, files are not typically accessed by the attackers before file encryption; however, data access could not be eliminated so notification letters have been sent to affected patients. Dr. Bendetowicz explained in the breach notification letters that names, addresses, dates of birth, Social Security numbers, health insurance information, and medical information were potentially impacted.
As a precautionary step, identity theft protection services have been provided to all affected individuals. Steps have also been taken to enhance security to prevent further attacks in the future.
Houston Methodist Hospital Alerts 2,000 Patients of PHI Being Stolen
Houston Methodist Hospital is contacting 1,987 heart patients that some of their protected health information was stored on portable storage devices that were taken from the vehicle of a vendor representative in mid-February.
The person was working for the medical device manufacturer and operated the 3D imaging technology in the hospital’s cardiac catheterization lab.
The hard drives were left in a vehicle from where they were taken. The hospital revealed that the room where the hard drives were stored was locked, and removal of the devices was against hospital protocol and breached established technical safeguards and contractual obligations. The representative believed the room was only locked as it was so late.
The hard drives included medical images such as a patient’s name, gender, date of birth, and a code number. The images could only be seen with specialist software. The clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be found.