[BreachExchange] Neurology Foundation Unauthorized PHI Access Could Affect 12K

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 21 20:03:45 EDT 2017


https://healthitsecurity.com/news/neurology-foundation-
unauthorized-phi-access-could-affect-12k

Rhode Island-based The Neurology Foundation, Inc. (Foundation) recently
announced that an employee had been making unauthorized PHI access. The
employee had been using a company credit card to make unauthorized
purchases, but it was discovered that the individual had also transferred
certain Foundation data onto a hard drive stored in the employee’s home.

“The storage of Foundation data on external media is not permitted by the
Foundation and the Foundation has since recovered the hard drive,” the
organization said.

A third-party forensic investigation determined on May 25, 2017 that the
same individual had also “transferred sensitive information onto his
desktop, a hard drive, and several thumb drives.”

“The employee has been terminated and the Foundation has been working
diligently, with the assistance of third-party forensic investigators, to
determine the full nature and scope of this incident, and to confirm the
security of its systems,” the Foundation stated.

Potentially affected information includes patient names, addresses, phone
numbers, email addresses, sex, race, dates of birth, Social Security
numbers, medical diagnoses, treatments and medications, insurance policy
numbers, bank account numbers, and/or medical record numbers.

The OCR data breach reporting tool states that 12,861 individuals may have
been impacted.

There is not currently any indication that the information has been misused
or attempted to be misused, the Foundation maintained. However, the
organization is still providing free credit monitoring services to those
who were possibly affected.

SECURITY BREACH COULD AFFECT 12K AT HAND REHABILITATION CLINIC

Hand & Upper Extremity Centers, dba Hand Rehabilitation Specialists (HRS),
recently reported that it may have been the victim of a security breach to
its network.

The organization did not specify how it had possibly been infiltrated, just
that it was informed of the incident on July 5, 2017.

“To date, law enforcement has found no evidence of any information leaving
HRS’s system,” HRS said in a statement. “However, unauthorized access could
not be ruled out, so out of an abundance of caution, HRS is providing
notice to all individuals who could be potentially affected and providing
protective services to those who choose to take advantage of the service.”

Patients and their financial guarantors seen from 2003 to 2014 may have
been affected. Information involved may include patient names, dates of
birth, addresses, phone numbers, Social Security numbers, dates of
services, diagnoses, CPT (billing) codes, cost, amount of co-pays made by
checks, medical insurance companies, insurance group numbers and contact
information, check numbers, and HRS’s name and practice contact information.

The OCR data breach reporting tool reports that 12,806 individuals may have
been affected.

“Hand Rehabilitation Specialists notified all three consumer reporting
bureaus, the applicable state and federal agencies, it is reviewing office
policies and procedures, and it will continue work with law enforcement in
its criminal investigation,” HRS reported.

FL GROUP REPORTS PHISHING SCHEME

The Florida Healthy Kids Corporation (Corporation), which is an
administrator of the Florida KidCare program, announced that a phishing
scheme may have impacted a group of Florida KidCare families.

The unauthorized access may have exposed some personal electronic data for
a limited time, according to a Corporation release.

“On September 7, 2017, the Corporation notified approximately 1,700
individuals that its electronic mailboxes were victim to a ‘phishing’
scheme which left their personal data on file with the Corporation
accessible to unauthorized persons or entities for a 24-hour period from
July 25, 2017 to July 26, 2017,” the Corporation explained.

Nearly 300 other individuals may have been affected, but the Corporation
said it did not have contact information for those parties.

The incident was discovered on July 27, 2017, and the Corporation
immediately “shut down any unauthorized access to impacted email accounts
and launched an investigation.”

Possibly affected data included names, addresses, telephone numbers, family
account numbers, and Social Security numbers.

“Protection of personal information and privacy remains a top priority for
the Corporation and the Florida KidCare program,” the statement read. “The
Corporation has instituted changes to further enhance its policies and
procedures to protect your privacy.”

CYBERSECURITY ATTACK AFFECTS NORTH CAROLINA HOSPITAL

North Carolina-based Morehead Memorial Hospital recently experienced a
cybersecurity attack stemming from “fraudulent communications,” according
to an online statement.

It was not specified when the incident took place, but that the
unauthorized party was able to obtain login information giving the party
access to two email accounts within the hospital.

“Promptly upon learning about these communications, steps were taken to
address the incident,” Morehead stated. “Our IT staff cut off access to the
affected accounts, issued a network-wide password reset, and engaged
top-tier forensic consultants to conduct a full investigation.”

Certain former patient or employee information was in the accessed email
accounts. The data may have included health insurance payment summaries,
treatment overviews, health plan information, and in limited cases, Social
Security numbers.

“To help prevent an attack like this from recurring, we are enhancing
additional security measures to protect our systems, and we are providing
additional training to our staff so that they are better prepared to
identify potentially fraudulent communications,” Morehead said. “We have
also created an internal web page to provide timely updates to employees as
we become aware of phishing and email attacks.”

There has been no indication that the potentially compromised information
was misused in any way, the hospital added. Even so, individuals were urged
to regularly check their credit reports and explanation of benefits.

Morehead did not state how many individuals were possibly impacted.

AK DHS REPORTS POTENTIAL MEDICAID DATA BREACH

The Arkansas Department of Human Services (DHS) recently announced that an
inadvertent employee email resulted in a potential Medicaid data breach for
some Medicaid beneficiaries.

An email with spreadsheets containing names of Medicaid beneficiaries,
linked Medicaid identification numbers, some Social Security numbers, and
codes for medical procedures that beneficiaries underwent was mailed to an
employee’s home email address. This is considered a “breach of information
as described in state and federal law and DHS policy,” DHS said in its
online statement.

There were 26,044 unique names in the spreadsheets.

“We at DHS want to make sure beneficiaries are aware of this situation,
understand what happened and know the steps we are taking to ensure
something like this doesn’t happen again,” DHS Director Cindy Gillespie
said in a statement. “The privacy of beneficiaries is important to us, and
we take this situation very seriously.”

The incident was discovered when attorneys were preparing to represent DHS
against a wrongful termination lawsuit.

“Gillespie noted that DHS employees undergo security and privacy training
and cannot gain internet access at work until they pass a test on what they
were taught,” DHS explained. “The training includes the prohibition of
emailing confidential information outside the scope of a person’s job. DHS
is working with attorneys to recover the spreadsheets and has contacted the
Pulaski County Prosecuting Attorney’s office to pursue criminal charges and
prosecution.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170921/35b20c91/attachment.html>


More information about the BreachExchange mailing list