Health data breaches due to external actors continue to predominate recently.
Because I’m at a conference, it’s been hard to update a lot, but here are a few of the health data breaches I’ve spotted this week:
Main Line Endoscopy Centers in Pennsylvania announced that it recently mailed notifications to patients whose personal information was in an employee’s email account a t the time that the employee fell for a phishing attack. According to their report to HHS, 14,305 patients were notified.
They were not the only healthcare provider busy making notifications after compromise of office email accounts. The Oregon Endodontic Group reported that on November 13, 2018, they became aware of suspicious activity in the office’s email accounts. Investigation revealed that emotet malware had been downloaded onto the computer a few days previously. Investigation could not definitively rule out that patient protected health information had been exfiltrated. The ePHI included name and one or more of date of birth, treatment/diagnosis information or health insurance information for most of the affected individuals. In addition, name and Social Security number was included for 41 individuals, name and driver’s license number for 2 individuals, and name and financial account information for 7 individuals. The total number of individuals sent notification was not revealed. The incident was reported to the Oregon Attorney General’s Office on April 2, but it’s not clear why it took so long to notify.
And then there was the Gifted Development Center, part of the Institute for Advanced Study of Development in Colorado, who reported that an office burglary on February 5, resulted in the theft of several computers containing children’s psychoeducational testing reports. If you’re not familiar with such evaluations, they contain a wealth of information. As they explain:
Your child’s report describes our assessment of your child, which includes personal information such as name, date of birth, address, your names, comments about family and medical history, scores and observations from evaluations, diagnoses (both prior to and by our staff), school and education information, and recommendations for your child’s continued development. There are no Social Security numbers, driver’s licenses, or financial information included in your child’s report.