45,000 PHI Potentially Exposed Due to Integrated Regional Laboratories, Bayview Dental and Mid-Valley Behavioral Care Network Breaches

Florida-based Integrated Regional Laboratories (IRL) notified around 30,000 patients concerning the potential compromise of their protected health information (PHI) due to the American Medical Collection Agency (AMCA) data breach, which was identified on March 20, 2019.

AMCA advised IRL on June 3, 2019 that it had a data breach and confirmed on June 13 that IRL patients’ PHI were exposed.

IRL posted on its company website a breach notice on July 30 and also sent notifications to their patients. IRL halted providing patient data to AMCA and discontinued using AMCA’s services after the breach. IRL also instructed AMCA to safely dispose of all copies of IRL patients’ PHI.

The breach summary put up on the HHS’ Office for Civil Rights breach portal stated that the breach impacted 29,644 patients.

The OCR breach portal updated the number of AMCA breach victims to 22 HIPAA-covered entities in the past couple of days. Thus far, there are 24,739,540 confirmed number of records exposed and based on provisional data, there are likely over 26 million total victims of the AMCA breach.

Bayview Dental Server Hacking

1,938 patients of Bayview Dental received notifications concerning the unauthorized access of their PHI stored on a hacked server.

Bayview Dental identified suspicious server activity on May 28, 2019. Forensic experts who investigated the potential breach reported on July 4, 2019 the potential access of the PHI of some Bayview Dental patients. There was no means of knowing whether the attacker was able to view or copy patient information.

The exposed information of the affected patients may include their names, phone numbers, addresses, birth dates, medical/dental history, dental insurance information, and Social Security number of certain patients.

The persons affected by the breach received notification letters and offers of one-year credit monitoring services for free. Bayview Digital put in place extra security measures to avert further breaches. Employees also had additional training on data privacy and security awareness.

Mid-Valley Behavioral Care Network Phishing Attack

Mid-Valley Behavioral Care Network (BCN) located in Salem, OR identified two employees’ email accounts, which were accessed without authorization. The security breach was identified on June 26, 2019 and investigators of the incident confirmed that the accounts were compromised for 24 hours.

BCN is a service provider of Willamette Valley Community health plan. Thus, the breach impacted the PHI of 10,710 WVCH plan members, not to mention the personal information of 2,092 Oregon Health Plan members.

Whether the attacker viewed email messages or stole PHI is not confirmed. BCN sent notifications letters to affected members on August 9, 2019 and implemented extra security measures to evade further breaches.