The entities affected by the hack of Onsite Health Diagnostics continue to dribble out. In today’s installment, we learn that the State of Tennessee‘s State Insurance Plan, Local Government Insurance Plan, and Local Education Insurance Plan members were affected by the hack of the state’s wellness vendor’s subcontractor. The incident was added to HHS’s breach tool this past week. PHIprivacy.net was able to obtain a cached copy of a notice that appeared on Tennessee’s web site: OHD Security Incident Information Onsite Health Diagnostics (OHD) is the subcontractor of the state’s wellness vendor, Healthways, which offers biometric screenings to our members. Healthways notified Benefits Administration that an unknown source gained unauthorized access to Onsite Health Diagnostic’s 2013 computer system during the time period from January 4, 2014, to April 11, 2014. The information that might have been accessed is: the name, address, email address, phone number, date of birth, and gender of 60,582 individuals who requested a physician screening form for their 2013 partnership promise. The information which was accessed did NOT include members’ social security numbers, employee IDs or any medical or financial information. OHD has received no reports of identity theft related to this incident. While this information did not contain any diagnosis or medical information, the state has determined that, because it is related to our members’ health benefits, the disclosure of name, address, email address, phone number and gender does fall under the HIPAA definition of a breach of protected health information. The state has notified the Secretary of HHS of a Breach of Unsecured PHI. For more information contact the State’s Benefits Administration Privacy Officer at [email protected]
The previously reported March 2014 hack involving StayWell Health‘s subcontractor Onsite Health Diagnostics also affected employees of Staples in Massachusetts. The office supply firm notified HHS that 3,470 of their employees were affected. HHS’s log does not indicate when Staples reported the incident to them. As reported previously on this blog, other entities affected by the breach include Huntington Bancshares Inc., Group Health Care Plan of Ohio, Dominion Resources, Children’s Mercy Hospital, and Motorola Mobility.
CORRECTION: Children’s Mercy Hospital was affected by the breach that occurred in March 2014, not the 2012 breach. Original story: It seems like I’m reporting a lot of breaches involving StayWell Health Management and their vendor, OnSite Health Diagnostics this year. It’s probably because they’ve disclosed two breaches that affected numerous StayWell clients. The latest entry is from Huntington Bancshares Inc. Group Health Care Plan of Ohio, who notified HHS that 4,487 enrollees were affected by a hacking incident discovered on March 25th. Ben Sutherly of the Columbus Dispatch provides coverage of the breach, noting that it was part of a breach at OnSite Health Diagnostics that also affected Dominion Resources (1,700 affected) and Motorola Mobility (940 affected): Health, financial and Social Security data were secure, but hackers accessed current and former workers’ names, user names, email addresses, mailing addresses, phone numbers, gender and dates of birth. As Sutherly reports and as I noted above, this breach wasn’t StayWell’s first breach: Nearly 18,600 people associated with Missouri Consolidated Health Care Plan, the Clorox Company Group Insurance Plan in California, the University of Minnesota, Nissan North America and Qbe Holdings were affected by unauthorized access to network servers — a breach that began in the spring of 2012 but was not discovered until January this year. A search of this blog reveals that Children’s Mercy Hospital was also affected by that 2012 breach.
Kaveh Waddell reports on an issue near and dear to my heart: not all entities that collect or store health information are HIPAA-covered entities. Earlier this year, as one example, we saw the Systema Software leak that impacted numerous firms with a wealth of workers compensation claims. And last year, we saw many employees’ wellness data breached by a hack of Onsite Health Diagnostics. And most recently, of course, I reported on the leak of highly sensitive from a dating app for people who are HIV-positive. And those are just a few of many examples I’ve reported over the past seven years. Waddell reports: … health-care companies are only a part of the picture. In fact, according to research published Wednesday by Verizon’s business division, 90 percent of industries—from retail and finance to construction and mining—have experienced a breach of personal health information. While the organizations in these other sectors may not keep extensive databases of patient information the way a health-care facility or insurer might, businesses in every industry have data from employee benefits and wellness programs, and many deal with workers’ compensation claims. Included in all three are troves of personal health data. Read more on The Atlantic.
Why is this first being disclosed now when other affected entities disclosed in March? Was Staywell late in notifying or OnSite Health Diagnostics, or….? Alan Bavley reports: A security breach has been discovered in an online scheduling application used two years ago to register more than 4,000 Children’s Mercy Hospital employees and spouses for a wellness program. […] According to StayWell, the information was collected in 2012 from Children’s Mercy employees and their spouses or domestic partners who registered online for a health-screening appointment. The data was stored by Onsite Health Diagnostics, a vendor used by StayWell. StayWell has contacted the 4,076 people affected by the breach and provided them with the number to a telephone helpline. So far, the helpline has received about 23 calls. Read more on Kansas City Star.
Andrea Zelinski reports: Personal information on more than 60,000 government employees who participated in Tennessee’s employee health screenings may be at risk for identity theft, according to state officials. An unknown source hacked into Onsite Health Diagnostics’ computer system, according to spokeswoman Lisa MacKenzie. Information like employees’ name, date of birth, address, email address, phone number and gender were accessible in the breach, according to OHD, a company hired by the state’s wellness contractor, Healthways. Details like social security numbers, employee IDs or medical information were not obtainable, the company said in a letter to affected employees dated Aug. 8. The breach was discovered April 11 and traced back to having happened as early as Jan. 4, said OHD. Read more on Nashville Post.