UMC Physicians and MSK Group Notify Patients of PHI Breach

The email account of a doctor at UMC Physicians in Texas was hacked, which resulted to the potential exposure of some of the protected health information (PHI) of approximately 18,000 patients. The IT team of UMC Physicians discovered the breach on May 18, 2015, but the hacking took place on March 15. The hacker had two months of access to the information stored in the email account before the account was secured.

The investigators of the security breach did not find any proof of misuse of PHI, although unauthorized accessing of patients’ PHI could not ruled out. UMC Physicians has already notified the patients whose PHI was potentially accessed and one year of credit monitoring and identity theft protection services has been offered without charge.

The following information might have been accessed by the hacker: Patients’ names, telephone numbers, addresses, birth dates, medical record numbers, Social Security numbers, dates of service, diagnoses and health insurance details. UMC Physicians has enhanced its security controls to prevent any further unauthorized accessing of email accounts.

A hacker also gained access to the network of MSK Group – an integrated orthopedic practice in Tennessee – and intermittently accessed the system for several months. The IT team of MSK Group discovered the breach on May 7, 2018 and a third-party information security company was hired to investigate. According to the investigation, there was no indication that the hacker stole any information, although the security company confirmed that the hacker accessed some parts of the network which held the PHI of patients.

Some of the information that was potentially accessed includes patients’ names, fax numbers, telephone numbers, addresses, email addresses, birth dates, driver’s license numbers, diagnostic images, photographs, Social Security numbers and health record information.

MSK Group sent out notification letters to all affected patients on July 9 and offered them one year free credit monitoring and identity theft protection services. There was no disclosure regarding the number of patients affected by the breach. The security consultants are still working with MSK Group to improve its network security controls.