The first breach case happened to Massachusetts-based Sports Medicine & Rehabilitation Therapy (SMART) on September 2017 which potentially exposed the PHI of 7,000 patients. Patients who visited a SMART center prior to December 31, 2016 had been alerted of the potential breach. The information potentially stolen includes insurance numbers and diagnostic codes. No financial data or Social Security numbers were stolen.
The breach was actually an extortion attempt by hackers who allegedly gained access to the SMART systems and stole data. The hackers demanded a ransom payment in exchange for not releasing the information online. There was no indication in the breach notification letters sent to patients that ransom was paid. But the patients were assured that data was not and will not be used for any nefarious purposes.
The FBI and Homeland Security investigated the incident but no details were released. SMART tried to get a copy of the police report through the Freedom of Information Act, but this was done after the notification letters were sent.
The second breach case is the accidental exposure of PHI of 6,000 patients, which was discovered on September 27, 2017. The North Carolina Department of Health and Human Services sent a spreadsheet of PHI by mistake to a vendor in an unencrypted email.
The NC DHHS contacted the vendor in question right away. The vendor securely deleted the spreadsheet, but it’s possible that the email was intercepted in transit by unauthorized persons. The risk of intercepted data and misuse is believed to be low.
The information contained in the spreadsheet included names, Social Security numbers and test results of persons who had routine drug screening tests with the NC DHHS for employment, volunteer or intern opportunities. NC DHHS reviewed its policies and procedures to prevent similar incidents from happening again.