18,000 People Affected by Three Separate Healthcare Security Breaches

Redwood Eye Center Ransomware Attack

IT Lighthouse, the managed service provider hosting the electronic health records (EHR) of Redwood Eye Center located in Vallejo, CA, experienced a security breach in which the protected health information (PHI) of 16,000 patients was potentially compromised.

IT Lighthouse provides services such as computer support, application hosting, and electronic health records hosting to healthcare organizations. On the night of September 19, 2018, hackers installed ransomware on a server that was used to host the health records of Redwood Eye Center patients. IT Lighthouse notified Redwood Eye Center about the data breach on September 20, 2018.

IT Lighthouse hired a third-party computer forensics company to help investigate the incident and an expert medical software vendor helped Redwood Eye Center recover its health records.

While data access was not confirmed, the attackers potentially viewed and/or copied the following types of data: Names, birth dates, addresses, medical insurance data, and treatment information. Redwood Eye Center notified affected patients as a safety precaution on December 6, 2018.

Redwood Eye Center sent a breach notification letter to the California attorney general indicating 16,055 California residents were affected by the PHI breach.

Butler County Email Privacy Breach

Butler County, OH, has notified around 1,350 employees about the exposure of some of their PHI. In September, the wellness coordinator of Butler County sent an email message about health insurance with an attached spreadsheet that contained the employees’ wellness data.

The spreadsheet included hidden columns that contained the following information: Names, insurance ID numbers and details related to the participation of employees in the county wellness program. The file did not contain highly sensitive information such as Social Security numbers, usernames/passwords, or financial information. Butler County advised individuals affected by the breach to take precautions to prevent their insurance details from being used for fraudulent activities. Butler County consulted legal experts regarding the breach and was instructed to submit an incident report to the Department of Health and Services’ Office for Civil Rights has it may have constituted a HIPAA violation.

Thielen Student Health Center Software Coding Error

Thielen Student Health Center located in Ames, IA, has notified 599 patients that some of their PHI was impermissibly disclosed to other patients. A coding error in the software used by the center to send satisfaction surveys to patients was introduced when inputting patient data. Because of the error, patients’ names, providers’ names and appointment dates were added to the surveys. The above information of affected persons was disclosed to another patient.

The error was quickly discovered and the health center was able to recall many surveys before they were viewed. Thielen Student Health Center has notified all affected persons and make changes to prevent similar impermissible disclosures in the future, including the removal of all personally identifiable information.