• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

March's Reported Data Breaches: Another 120,000 Patients at Risk (So Far)

Article

Another month, another hundred-thousand-plus patients who may have had their protected health information (PHI) compromised.

Original image courtesy of Wikimedia Commons user Frank C. Müller. Image has been cropped and stylized.

UPDATED 4/4/18

Another month, another hundred-thousand-plus patients who may have had their protected health information (PHI) compromised.

Healthcare entities must notify the Department of Health and Human Services Office of Civil Rights (OCR) of any breach compromising 500 or more patient records within 60 days of discovery. Many of the events reported in last month may have begun in months before and only been reported after internal investigations…and it’s common for reports to trickle in later in the following month.

So far, OCR’s website has posted 20 breaches that were reported in March. In all, over 120,000 patients may have had their PHI put at risk by these incidents. That number is likely to rise in coming weeks, so check back for an updated post…but in the meantime, here’s how it all went down.

Unauthorized Access/Disclosure Incidents: 70,247 Patients

Unauthorized access accounts for a lot of the breaches that reach OCR. So far, it leads the way in March’s total both in number of incidents (9) and patients exposed (69,506).

The 2 largest reported breaches came from the same health system, Barnes-Jewish in St. Louis, Missouri. The OCR portal lists both Barnes-Jewish Hospital (18,436 patients affected) and Barnes-Jewish St. Peters Hospital (15,046 patients affected) in separate incidents reported on March 12th. Between May 9th, 2017 and January 23rd, 2018, scanned patient documents were publically available online without required security clearances. The health system does not know whether any of the information was actually accessed, but it directed patients to a 1-800 number for questions.

The 3rd largest breach affected the Special Agents Mutual Benefit Association health plan, which covers current or former federal employees. Nearly 14,000 subscribers’ family members were affected in the incident, which resulted from botched 1095-B forms being mailed out: Instead of containing descriptions of subscribers’ enrolled relatives, they instead just listed their Social Security numbers. The forms were mailed out on February 19th and the issue was detected days later.

There was 1 more 5-digit plus unauthorized access breach: Primary Health Care in Iowa noticed on March 1st that 4 of its employees’ emails had been accessed. It does not know what information, if any, was obtained, but as many as 10,313 patients might be affected.

Other unauthorized access incidents impacted North Texas Medical Center in Texas (3,350 patients), UnitedHealth Group Single Affiliated Covered Entity in Minnesota (1,755 patients), Arc of Erie County in New York (3,751 patients), John J. Pershing VA Medical Center in Missouri (1,843 patients), Front Range Dermatology Associates in Colorado (1,070 patients) and Walmart (741 patients)

Hacking Incidents: 42,263 Patients

Three hacking incidents were reported to OCR in March. The largest involved ATI Holdings, a national chain that runs physical therapy clinics. On January 11th, the company says that it noticed that multiple employees had had their direct deposit information changed. They found that an actor had accessed those accounts through a phishing attack. One or more of the accounts contained a trove of patient information, driver’s license or state identification numbers, Social Security numbers, credit card numbers, financial account numbers, Medicare or Medicaid identification numbers, and various other pieces of PHI. As many as 35,136 people were impacted.

Another incident affected Cambridge Health Alliance in Massachusetts, although not much is known about it. The breach was discovered recently and it was officially reported that 2,280 patients were affected. According to The Boston Globe, hospital officials are unsure if the information—which all came from patients who received treatment in 2013—was made available by accident or through an intentional hack. The incident is currently the most recent on the OCR breach portal.

One more incident affected Serene Sedation in Maryland. 5,207 patients may have had their information exposed.

Loss/Theft: 9,171 Patients

The OCR website lists 4 straight electronic device losses coming out of Massachusetts—although CareMeridian (1,922 patients) is in California and Georgia MENTOR (1,015) is in, wait for it…Georgia.

But the 2 aforementioned institutions issued near-identical statements about “an unencrypted disk sent by a third-party software provider containing documents that included sensitive information appeared to have been lost in the mail.” Center for Comprehensive Services, Inc. and Mentor ABI, LLC are also listed as Massachusetts-based institutions that had data breaches involving roughly 1,000 patients each and attributed, like the first 2, to an “other portable electronic device.” All 4 are also owned by Boston’s National Mentor Holdings, Inc, which would indicate that the situations are connected.

There was 2 incidents of theft in March: inSite Digestive Health Care in California reported a “paper/films” theft on that may have impacted 1,424 patients, and Milligan Chiropractic Group in California reported a laptop containing information about 2,640 patients had been stolen. "Although the laptop was password protected and we are not aware of the misuse of any information, we could not rule out the possibility that your personal information, including your name, date of birth, clinic notes and progress notes may be at risk," the latter event's notification letter says.

Improper Disposal: 1,412 Patients

St. Francis Hospital in Georgia reported on March 14th that in mid-January, “some administrative documents intended to be shredded were inadvertently picked up and improperly disposed of with the Hospital's regular waste.” The documents contained PHI—including Social Security numbers and billing info—for as many as 1,412 patients.

Related Coverage:

After Failing to Avert Data Breach Lawsuit, CareFirst Gets Hacked Again

The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

Newly-Reported Incidents Put February's Compromised Patient Record Total Over 300k

Related Videos
Image: Ron Southwick, Chief Healthcare Executive
Related Content
Image credit: ©tippapatt - stock.adobe.com

Healthcare mergers may face more questions about cybersecurity

April 18th 2024
Article

In the wake of the Change Healthcare attack, regulators may look more closely at protections for data privacy as they examine deals, experts say.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Image credit: American Hospital Association

Change Healthcare cyberattack: Health leaders ask Congress for help with cybersecurity

April 17th 2024
Article

During a House panel hearing on the attack, hospital and health industry leaders urge lawmakers to help deal with attacks from ransomware groups.

Hospitals face evolving threats from cyberattacks | Data Book podcast

Hospitals face evolving threats from cyberattacks | Data Book podcast

December 7th 2023
Podcast

Michael Hamilton, founder and chief information security officer of Critical Insight, talks about trends in attacks and emerging threats in the coming year.

Image: Ron Southwick, Chief Healthcare Executive

Change Healthcare cyberattack: Lawsuits emerge, and more are coming

April 5th 2024
Article

Several suits have already been filed and others are expected due to the ransomware attack that has affected hospitals and providers nationwide.

Image: Ron Southwick, Chief Healthcare Executive

American Hospital Association CEO talks about Change Healthcare ransomware attack and cybersecurity

April 4th 2024
Article

Rick Pollack discussed the cyberattack and its ramifications at the Hospital + Healthcare Association of Pennsylvania Leadership Summit.

© 2024 MJH Life Sciences

All rights reserved.