PHI Potentially Compromised Due to Prisma Health Website Breach and Seattle Cancer Care Alliance Email Error

by

Due to a data breach on the Palmetto Health website, Prisma Health Midlands is sending breach notifications to around 19,000 patients and 3,000 employees.

Prisma Health – previously called Palmetto Health – discovered on August 29, 2019 that a suspicious individual got the login information of a Prisma Health employee. The attacker used the stolen credentials to access the Palmetto Health website, which stores volunteer registration details and patient pre-registration forms that had been answered online.

The forms correlated to 6 Midlands hospitals and the information included names, addresses, birth dates, limited health facts and, Social Security numbers for some people. There was no medical information or financial data exposed. Prisma Health was not able to establish how long the attacker had access using the employee’s credentials.

Upon knowing about the incident, Prisma Health changed the employee’s password to block further unauthorized access and updated its policies and procedures to avoid similar breaches later on. Affected people were sent notifications by mail and those whose Social Security number was exposed received offers of 12 months complimentary credit monitoring and identity theft protection services.

This year, Prisma Health has experienced several privacy breaches. In April, Prisma Health reported that a phishing attack resulted in the access of the email accounts of a number of employees. The PHI of 23,811 people was exposed due to the attack. In July, another privacy breach was announced when it was discovered that a notebook that has the PHI of OB/GYN patients from a Richland Campus in Columbia was stolen from a physician’s car. The notebook contained the information of around 2,770 individuals.

Seattle Cancer Care Alliance Email Error

The email addresses of 944 patients of Seattle Cancer Care Alliance (SCCA) were exposed to other patients due to an error committed by a member of staff when sending an email invitation on August 27, 2019.

Rather than putting email addresses on the blind carbon copy (BCC) field to shield the email addresses of the recipients’ from each other, the email addresses were put on the visible fields so all individuals receiving the email invitation could see all email addresses. No other information was exposed.

SCCA is currently assessing its policies and procedures and will implement needed safety controls to avoid similar breaches from happening once again. Affected patients were sent notification letters on October 16, 2019.