Four Healthcare Data Breaches Exposed the PHI of 9,400 Patients

This is a summary of data breaches that have recently to the Department of Health and Human Services’ Office for Civil Rights or disclosed to media outlets.

The Pennsylvania Department of Human Services has discovered a configuration error in its Compass system that allowed individuals to gain access to the protected health information (PHI) of other people who had previously been in the same benefit household but are now included in a different case record.

The information that could potentially have been accessed includes names, birth dates, citizenship information, and reported employment information, although not Social Security numbers. To date there appears to have been no misuse of any PHI. The system glitch was discovered on May 23, 2018 and has now been fixed. 2,130 people have been affected by the breach and have recently been sent notifications.

The Institute on Aging located in San Francisco, CA, has discovered an unauthorized individual accessed several employees’ email accounts. The breach was identified on May 28, 2018, although it is not known how long the email accounts were accessed and whether any PHI was downloaded.

The Institute on Aging retained expert data breach response professionals to safeguard its systems and deal with the breach response. The compromised employee email accounts were examined and found to contain the protected health information (PHI) of 3,907 patients. The following information was contained in messages and attachments: patient and employee names, email addresses, birth dates, financial information, diagnoses, treatment data, and medical payment details. All people affected by the breach were sent notification letters on July 20 and have been offered free 12 months of credit monitoring and identity theft protection services.

Rocky Mountain Health Care Services located in Colorado Springs has discovered an unencrypted laptop has been stolen. The protected health information (PHI) of 1,087 patients was stored on the device. The theft occurred on May 15, 2018 and the internal investigation revealed names, birth dates, addresses, Social Security numbers, diagnoses, prescription information and treatment plans had been exposed. Affected individuals have been offered credit monitoring and identity theft restoration services for 12 months at no cost. This is the third time that Rocky Mountain Health Care Services has experienced a laptop theft in the past 12 months. Rocky Mountain discovered that a laptop was stolen on September 28, 2017, and another device was stolen on June 18, 2017 along with a mobile phone.

Rocky Mountain Health Care Services has now examined its policies and procedures on information security and has implemented further portable device safety controls and PHI is now encrypted on all company-owned laptops.

Ambercare Corporation in New Mexico, a provider of hospice and home care services, has announced that an unencrypted laptop computer containing the protected health information (PHI) of 2,284 patients has been lost.

The laptop, which had been officially provided to an Ambercare staff member, was discovered to be missing on May 30, 2018. The laptop has password-protection enabled, but it was not encrypted. The PHI kept on the computer was required by the employee to complete work duties and included names, birth dates, addresses, diagnostic information, clinical data, and Social Security numbers.

Ambercare has reported the loss and potential theft to law enforcement and employees have been given additional training on physical security of electronic devices. Affected patients have been offered complimentary credit monitoring services through Experian for 12 months.