[BreachExchange] 79K Patients Affected by Emory Healthcare Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 2 18:12:32 EST 2017


http://healthitsecurity.com/news/79k-patients-affected-by-
emory-healthcare-data-breach

March 02, 2017 - Nearly 80,000 patients were potentially impacted by a
recent data breach at Georgia-based Emory Healthcare’s Orthopaedics & Spine
Center and Brain Health Center (EHC) at Emory Clinic.

On January 3, 2017, EHC became aware of an incident of unauthorized data
access involving a third party database called Waits & Delays. The
healthcare organization explained in an online statement it had used the
database to update patients on appointment information.

The database—which contained appointment information including patient
names, dates of birth, contact information, internal medication record
numbers, dates of service, and physician names—was deleted by an
unauthorized individual who then requested that EHC pay the individual to
have it restored.

Potentially impacted patients include any individuals who scheduled an
appointment at the Orthopaedics & Spine Center within Emory Clinic between
March 25, 2015 and January 3, 2017, and any patients with an appointment at
Emory Clinic Brain Health Center between December 6, 2016 and January 3,
2016.

The OCR data breach reporting tool states that 79,930 individuals were
affected by the incident.

EHC maintained that no patient Social Security numbers, financial
information, diagnoses, or any other information from patient EHRs were
accessed during the incident.

EHC discovered another instance of unauthorized access by an independent
security research center. That incident had occurred in an effort to find
gaps in application security to alert companies of areas needing
improvement.

After learning of the data breach, EHC launched an internal investigation
and notified law enforcement. The health organization is presently in the
process of informing potentially impacted patients and reassessing their
security measures to make any necessary changes to internal and external
systems containing patient information.

Currently, EHC said it has no indication any patient information has been
misused in any way.

Ransomware attack impacts 17K

Minnesota-based Family Service Rochester (FSR), a nonprofit organization
providing support for health and wellness in surrounding communities,
recently suffered a ransomware attack potentially impacting the information
of nearly 17,000 patients.

FSR explained in an online statement that it discovered on January 26, 2017
that a “portion of its files had been encrypted by ransomware.” FSR
promptly initiated a law enforcement investigation into the incident and
discovered there had been unauthorized access from December 26, 2016 to
January 25, 2017.

The OCR data breach tool reports that 17,037 individuals were affected by
the ransomware attack.

In some cases, potentially exposed patient information included patient
addresses, Social Security numbers, insurance identification numbers, and
medical information.

FSR has notified potentially affected patients and is offering them a year
of free identity protection services. The healthcare organization said it
is taking steps to ensure the security of all of its systems in the future.

Vanderbilt University discovers unauthorized employee access of medical
records

Vanderbilt University Medical Center (VUMC) recently became aware of
unauthorized employee access to patient medical records.

A VUMC spokesperson sent an email with a statement to HealthITSecurity.com
that explained that employees working as patient transporters were
accessing patients’ electronic medical records in an unauthorized manner.

VUMC performed an audit of the electronic medical records accessed by the
employees between May 2015 and December 2016, the statement read.  Two
employees viewed adult and pediatric patient information, including
patients’ names, dates of birth, and medical record numbers for internal
use.

One employee also gained access to patient Social Security numbers in a
limited number of instances.

Currently, VUMC has no indication any patient information was downloaded,
transferred, or misused in any way.

Patients have been notified of the incident through advisory letters sent
by mail.

“We are committed to providing our patients the highest quality care and
protecting the confidentiality of their personal information. To our
knowledge, the information the employees viewed was not printed, forwarded
or downloaded.  So far, we have no reason to believe that our patients’
personal information has been used or disclosed in other ways,” said VUMC
Chief Communications Officer John Howser. “While we are not aware of any
risk of financial harm to these patients, we are contacting each of them by
letter to recommend that they vigilantly review account statements and
their credit status.”

VUMC has offered services to any patients concerned about fraud or identity
theft.

A report from The Tennessean stated that 3,247 medical records were
accessed.

WVU Medicine employee prosecuted for identity fraud

On January 17, 2017, West Virginia University (WVU) Medicine University
Healthcare became aware of an FBI law enforcement investigation into the
unauthorized access, use, and disclosure of PHI for over 7,000 patients.

University Healthcare said in an online statement that it immediately
launched an investigation into the incident and found confirmed evidence an
employee had committed identity theft against 113 patients since March 1,
2016. Police found copies of driver’s licenses, ID cards, insurance cards,
and Social Security cards in the employee’s possession.

The employee has since been terminated for her conduct and will be
criminally prosecuted. University Healthcare has since notified all 113
confirmed victims of the incident and is working to notify all 7,445
patients potentially impacted during the breach.

“University Healthcare understands the importance of safeguarding our
patients’ personal information and takes that responsibility very
seriously,” University Healthcare President and CEO Anthony P. Zelenka
said. “We regret that this incident has occurred. We are committed to work
with our patients whose personal information has or may have been
compromised, and help them work through the process.”

NC health department exposes PHI

The North Carolina Department of Health and Human Services (DHHS)
potentially exposed the PHI of 12,731 Medicaid patients to adult care homes
via unencrypted email, according to a News & Observer report.

On November 20, 2016, a state DHHS employee reportedly sent an unencrypted
email containing patient names, Medicaid numbers, and addresses. DHHS has
since swapped Medicaid numbers for identification numbers to avoid future
incidents.

Currently, DHHS said there is no evidence the information has been used
improperly in any way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170302/4e3ac687/attachment.html>


More information about the BreachExchange mailing list