[BreachExchange] Vendor Error Leads to Another Possible Healthcare Data Breach

Thu Sep 8 19:19:07 EDT 2016

http://healthitsecurity.com/news/vendor-error-leads-to-
another-possible-healthcare-data-breach

 CHI Franciscan Health Highline Medical Center (Highline) is notifying
certain patients that some of their information may have been exposed due
to a vendor error.

R-C Healthcare Management (R-C Healthcare) previously worked with Highline
before the medical center was acquired by CHI in 2014. R-C Healthcare
alerted Highline on July 22, 2016 that files with patient information had
been inadvertently been made accessible online from April 21, 2016 to June
13, 2016.

The files were secured as of June 13, Highline said in an online statement.
The files may have contained patient names, dates of service, health
insurance information and Social Security numbers.

Only patients whose data was involved in account reporting functions from
1993 to 1994 and then from 2008 to 2013 were potentially affected.

“We take our responsibility to protect patient privacy very seriously and
have taken immediate responsive action,” Highline explained. “We work to
continually improve our policies, processes and educational offerings to
ensure our patients receive the benefit of proven information security and
confidentiality practices.”

While the medical center has no knowledge of the data being “accessed,
viewed, acquired or otherwise compromised by any unauthorized third party,”
it is still offering free credit monitoring services to those who were
possibly affected.

The OCR data breach reporting tool states that 18,399 individuals had their
information involved in the incident.

Just last month, Bon Secours Health System, Inc. in South Carolina reported
that some of its patients may have had their information exposed in the
same manner due to R-C Healthcare.

In that case, the data of 655,000 patients were possibly exposed when R-C
Healthcare attempted to adjust its computer network settings from April 18,
2016 to April 21, 2016.

“We deeply regret any concern this may cause our patients,” Bon Secours
said. “To help prevent something like this from happening in the future, we
are reinforcing standards with our vendors to ensure our patients’
information is securely maintained.”

Email error affects Planned Parenthood location

Planned Parenthood of Greater Washington and Northern Idaho reported that
it experienced a data security incident on June 28, 2016.

Emails notifying individuals of an online portal were sent to the wrong
addresses, Planned Parenthood explained in a statement. Individuals would
have received another person’s email, which would have contained the second
individual’s first and last name. No other personal or health information
was involved.

“Privacy is a top priority for us, and we regret any confusion or concern
this error has caused,” the statement reads. “We are reinforcing existing
privacy policies and technological protocols internally and with our
partners, and are evaluating additional safeguards to prevent any similar
incidents from occurring in the future.”

Planned Parenthood added that the portal was immediately shut down once the
error was realized and that there is no evidence indicating that any of the
data has been misused.

OCR lists 10,700 as potentially being affected by this incident.

Medical College of Wisconsin employee email accessed

The Medical College of Wisconsin recently started notifying patients that
some of their information may have been involved in a security incident due
to an unauthorized party accessing an employee’s email.

The college noticed on July 5, 2016 that there was unusual activity with
the employee’s email account and then retained a forensic firm to
investigate. The firm determined that the account had been accessed from
July 2 to July 4.

Approximately 3,200 individuals may have had their full names, dates of
birth, home addresses, medical record numbers, and codes or notes related
to diagnosis or treatment provided exposed, according to a Wauwatosa Now
report. Furthermore, two patients had their Social Security numbers
included. However, health insurance, credit card, banking or other
financial information were not in the email account.

While there is no evidence that the information was actually acquired or
viewed, the college is providing credit monitoring to the individuals whose
Social Security numbers were involved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160908/422615aa/attachment.html>