Apr 202018

Bill Lukitsch reports:

Personal financial and medical information of more than 4,000 people was mailed to the wrong addresses earlier this year, two state agencies announced Friday.

“Notices containing personal information were mailed to 4,136 individuals at incorrect addresses,” a news release from the Illinois Department of Healthcare and Family Services and Department of Human Services said.

Read more on Chicago Tribune.

Apr 182018

Florida-headquartered MedWatch, LLC is a care management company, providing risk management solutions to the self-funded health plan market.  On or about April 13, they started notifying their clients’ health plan members after learning that a vendor misconfiguration error had exposed protected health information between October 20, 2017 and December 15, 2017.

MedWatch did not name the vendor involved. Nor did they disclose how many people had their data exposed on the internet, or who their affected clients were.

You can read the full substitute notice, below.

MedWatch_Substitute Notice

Although the substitute notice does not mention it, MedWatch is offering those affected 12 months of complimentary identity protection services with ID Experts.

Update: We still don’t have total numbers yet, but they notified 1,061 New Hampshire residents.

Apr 182018

Polk County Health Services, Inc., in Iowa recently started notifying 1,071 patients seen at the Crisis Observation Center in Des Moines, Iowa between June 1, 2014 and January 11, 2018. According to a statement issued on April 13,  Polk County Health Services, Inc. “accidentally and unknowingly disseminated” personal and protected health information for patients seen during that time period.  They first became aware of the breach on February 14, 2018.

The information unknowingly disclosed includes: full name, home address, Social Security number, Medicaid identification number, date of admission to the Crisis Observation Center and discharge location. The statement from PCHS indicates that they do not have evidence the information was improperly used.

PCHS’s notification did not explain how the data were accidentally disseminated, nor how PCHS discovered the breach on February 14, 2018.  Email requests for clarification to the Executive Director of Polk County Health Services, Inc. and to the Privacy Officer for Polk County Health Department Director have been unanswered as yet. The incident has been reported by PCHS to HHS and appears on HHS’s public breach tool.

You can read the entire notice from PCHS’s web site, below:

Apr 182018

WSOC reports:

Patients’ Social Security numbers, dates of birth and names were all handed over to fraud suspects by a Carolina Digestive Health Associates employee.

In their search warrant, police said she admitted to sharing around 100 people’s personal information to fraud suspects.

She also agreed to let detectives check her phone, and the warrant said they saw several pictures of personal information including names, dates of birth and Social Security numbers of patients.

Read more on WSOC.

Carolina Digestive Health Associates issued the following statement:

CHARLOTTE, NC—April 17, 2018—Carolina Digestive Health Associates (“CDHA”) has become aware of a data security incident that may have involved the personal information of some of its patients. CDHA will be sending notification letters to the potentially involved patients to notify them of this incident and to provide resources to assist them.

On January 10, 2018, CDHA was contacted by the Charlotte-Mecklenburg Police Department and told the police had discovered that a CDHA employee had stolen personal information belonging to some patients. The involved employee has been terminated and CDHA is continuing to cooperate with the police investigation. In addition, CDHA has conducted its own investigation to identify any other patient records the employee may have accessed and what information was contained in those records.

Law enforcement asked CDHA to delay notification to affected patients while they investigated the situation and the employee involved. Notification letters will be sent to all affected patients via U.S. mail and will include information about the incident and steps potentially affected patients can take to monitor and protect their personal information. CDHA has established a toll-free call center to answer questions about the incident and to address related concerns. The call center we be available beginning Wednesday, April 18 at 2:00 p.m. ET, and thereafter, Monday through Friday from 8:00 A.M. to 5:00 P.M. EST at 888-284-9087. In addition, out of an abundance of caution, CDHA is offering identity protection services through ID Experts to potentially impacted individuals at no cost.

CDHA takes the security of all patient information very seriously and is taking steps to prevent a similar event from occurring in the future, including restricting employee access to patients’ sensitive information, and increasing the monitoring and auditing of access to patient records. CDHA deeply regrets any inconvenience or concern this incident may cause.

Their full statement can be found on their web site.

Apr 182018

Matthew Umstead reports:

A former Berkeley Medical Center employee was ordered Monday by a federal judge to pay more than $22,000 in restitution stemming from allegations that she obtained hospital patients’ information to open credit card and other financial accounts.

Angela Dawn Roberts, aka Angela Dawn Lee, 42, of Stephenson, Va., who pleaded guilty in July to one count of identity theft, was sentenced Monday to five years of probation by Chief U.S. District Judge Gina M. Groh.

Read more on Herald Mail.