Almost 10,000 Health Plan Patients Affected by Data Breaches at TriHealth and Centura Health


TriHealth, a health system based in Cincinnati, is notifying 2,433 patients because their protected health information (PHI) was impermissibly disclosed to a student mentee.

A former TriHealth doctor was supervising the student, who accessed patient data for a prospective research project. On June 8 to June 9, 2018, the student obtained patient information such as first and last names, birth dates, race, life status, cancer diagnosis details, and zip codes.

TriHealth believes that patient PHI was not misused and was solely accessed because of the potential research project.

Considering that the student was not an authorized TriHealth employee, accessing patient information is not allowed. Therefore, patient information was impermissibly disclosed which called for the issuance of breach notifications to affected patients. TriHealth already sent the notification letters.

TriHealth published a breach notice on its website stating that all employees receive training about the hospital’s privacy policies upon hiring and undergo yearly re-training. In case of hospital policy violation, employees face corrective action which may include termination from employment. The same process was implemented in this instance.

Centura Health, another health system based in Centennial, CO, is notifying 7,515 patients regarding the exposure of their PHI due to an email security breach.

Centura Health identified the email breach on April 16, 2019 and immediately secured the impacted email account. Forensic investigators proved that an unauthorized person accessed the account and might have viewed or acquired patient data from the email messages and attachments. Even though no proof indicates the access, theft or misuse of PHI, patients still received notifications as a precautionary measure beginning May 22, 2019.

The following patient information were exposed in the breach: Name, birth date, demographic data, account number, medical record number, dates of service, treating doctor, services acquired, medical device provided, and other clinical data. Health insurance details, financial information, or Social Security numbers were not included in the exposed information.

Centura Health took the necessary action to lower the risk of even more email security breaches. Employees received retraining on email security. The use of strong passwords was implemented. Email security was further enhanced.