Breach Notices from American Medical Response and Bloodworks Northwest

A phishing attack on American Medical Response, a provider of emergency and patient relocation services in Greenwood Village, CO resulted to the access by an unauthorized person of the protected health information (PHI) of 4,300 patients who availed its ambulance service in the past.

The compromised information contained in the email accounts of an employee included names, addresses, birth dates, Social Security numbers, medical insurance identifiers, and diagnostic and treatment data. The breach only affected the email accounts and not the other systems or databases.

Although patients’ PHI was likely accessed, there is no report received that suggest the misuse of any patient information.

American Medical Response already notified by mail all patients impacted by the breach and offered them free credit monitoring services. Additional security measures were put in place to minimize the risk of other email account breaches. The employees underwent additional training on security awareness.

Bloodworks Northwest, a blood bank and medical research institute based in Seattle, WA, is notifying 1,893 patients about the exposure and potential theft of some of their PHI.

Bloodworks Northwest discovered on March 13, 2019 that a list was missing from the desk of an employee. The list contained patients’ names, birth dates, and medical diagnoses. Although a search was conducted to find the list, it was not found.

According to the Notice of Data Privacy Event posted on the webpage of Bloodworks, there was no information received regarding the misuse of any personal information resulting from the impacted email account, but patients are advised to stay vigilant against occurrences of identity theft and fraud, to examine company account statements, and to keep track of credit reports for suspicious transactions.

It is not clear if the notice was a mistake or if there was an email account compromised as well. The breach report Bloodworks Northwest submitted to the HHS’ Office for Civil Rights only indicated loss of paperwork as the cause of the breach.