Newly-Reported Incidents Put February's Compromised Patient Record Total Over 300k

Although healthcare institutions are required to report incidents that compromise patient protected health information (PHI) to the Department of Health and Human Services Office for Civil Rights within 60 days, the postings sometimes become public days or weeks after the end of the month.

Since our first post on the matter earlier this month, reported events—and affected patients—have doubled. In 24 incidents, the data of over 300,000 patients was potentially put at risk. Here’s an updated look at all the publicly-known breaches that healthcare organizations reported in February.

Hacking Incidents: 154,770 Patient Records

It was looking like a mild month for hacking incidents before a surgical center in upstate New York reported a breach that may have affected as many as 134,512 people. St. Peter’s Surgery & Endoscopy Center revealed in a statement that an unauthorized third party accessed its server on January 8^th. The breach was discovered the same day.

No banking or credit card information was reportedly stored on that server, and patients not on Medicare were told their social security numbers were not affected. names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, insurance information and some Medicare information—including, possibly, social security numbers—were affected. Healthcare Analytics News™ is awaiting comment from the provider regarding the event.

Prior to that disclosure, only about 20,000 patient records were reportedly affected by hacking incidents. The University of Virginia Medical Center detected malware on that may have allowed a hacker to view health records of 1,882 patients between 2015 and 2016. A practice in Alabama reported a ransomware attack that encrypted the electronic health records of 6,550 patients, and a California pharmacy chain noticed what it called “unusual activity in an employee email account.” An outside actor may have had access to the names, pharmacy account numbers, and payment adjustment information of 6,781 patients.

Partners HealthCare System in Massachusetts (2,450 patient), Coastal Cape Fear Eye Associates in North Carolina (925 patients), and Forrest General Hospital in Mississippi (1,670 patients) also suffered breaches.

Unauthorized Access/Disclosure: 136,759 Patient Records

Unauthorized access incidents continue to be the most commonly-reported breaches. Half (12 of 24) of all listed events from February fall into the Unauthorized Access/Disclosure category.

The largest event was yet-another windowed envelope gaffe, this time by Tufts Health Plan in Massachusetts. Roughly 70,000 patients were mailed identification cards in transparent envelopes that exposed their member identification numbers.

Smaller events just being reported include a mailing mixup by the Missouri Department of Mental Health that saw 1,000 surveys sent to the wrong addresses and a pair of incidents involving 5,600 and 1,100 patient records in the Rhode Island Executive Office of Health and Human Services. Walmart reported an unauthorized EMR access event affecting 735 people, and for the second month in a row QuadMed clinics in Wisconsin announced breaches affecting over 5,000, though it is unclear if those events are related to the incident the company reported in January. An email-based unauthorized disclosure incident affecting 1,512 patients at Memorial Hospital at Gulfport in Mississippi was also listed today.

Already reported was an incident where Puerto Rico Health Plan Triple-S Advantage inadvertently mailed health information to the wrong patients more than 36,000 times. Social Security numbers were not included, according to the company, but patient identification numbers, names, and procedure codes were.

Other entities reporting incidents were CarePlus Health Plan in Kentucky (11,248 patients), Center for Sports Medicine and Orthopedics in Tennessee (800 patients), and ConnectiCare in Connecticut (1,834 patients)

Improper Disposal: 9,956 Patient Records

A Shoprite grocery store in New Jersey reported improperly disposing of nearly 10,000 patient records on some form of portable electronic device, although no other information was immediately available.

Loss/Theft: 1,827+ Patient Records

A laptop stolen from a California College of the Arts employee in January may have contained personal information about thousands of patients. A letter sent to potentially-impacted individuals said that 2,581 individuals were included in the breach, although HHS’s official reporting page only counts 623 impacted individuals. The reason for that disparity is unclear.

In 2 other incidents, 1,204 patients were reported to have been put at risk. The City of Detroit apparently lost some sort of electronic portable device containing information on 544 of those patients. Eastern Maine Medical Center in Bangor, Maine, notified 660 patients that an external hard drive containing their PHI could not be located, though it stressed in a statement that “Social Security numbers, addresses, and financial information were not stored on this device.”

The device belonged to a third-party vendor. Although the organization simply said in its statement that the device couldn’t be found, it reported the incident to OCR as a theft.