The steady drumbeat of data breaches and malware incidents so far this year has shed light on security issues plaguing many healthcare providers. Cybercriminals are targeting hospitals with growing frequency, and vulnerabilities – such as aging medical equipment and human error – are only increasing the risk. The month of April was no exception: Small or large, these recent breaches highlight the varied ways hackers, insiders and employee errors put patient data at risk.
The American Dental Association unwittingly sent malware-infected USB thumb drives to dental offices nationwide, the ADA confirmed in a statement to Healthcare IT News. The ADA, which represents more than 159,000 members, said it began distributing its 2016 manual of CDT dental procedure codes, "which included flash drives in the back pocket," in late 2015. A "small percentage" of those drives "were found to contain malware, which was transferred to the flash drives from a subcontractor of an ADA vendor during the manufacturing process. Upon learning that some flash drives contained malware, the ADA promptly informed all customers via email or letter of the potential problem. (Photo: An example of the USB drive sent by ADA to its members, via Krebs on Security)
More than 1,000 patients of the Florida Department of Health Clinics in Palm Beach County could be at risk of identity theft after a recent medical records breach, department officials announced. Federal investigators brought the situation to the attention of the department in February. Included in the breach were the names, addresses, social security numbers, medical record numbers and Medicaid identity, which officials determined were the clinic's clients, said Tim O'Connor, public information officer, Florida Department of Health, Palm Beach County.
A flash drive containing the data of over 2,700 patients was internally stolen from the Oneida Health Center Dental Clinic on February 17, 2016, according to the Oneida Nation of Wisconsin website. Dental patient identification number, dates of visit(s) and insurance identification number of patients were included on the drive. Although the data was limited, officials said affected individuals should contact their dental insurance company. The theft was discovered the same day and the law enforcement was immediately contacted, officials said; the investigation is ongoing. This isolated incident didn't involve any other personal identifying data, financial information, social security information, claims information, or any other diagnosis/treatment information," the website said. The isolated incident was limited to specific dental information and affected no other Oneida Health Center departments.
Kaiser Permanente says the data of more than 2,400 members of the Inland Empire Health Plan was lost when a mail delivery truck carrying the personal information was stolen last month from a parking lot in Santa Barbara, reported the Press Enterprise. The theft was reported to Los Angeles County Sheriff's station in Santa Clarita, Michelle Simms, a Kaiser Permanente spokesperson said in a statement. Officials said the event took place between March 12 and 14. While the vehicle was later recovered, the mail containing the data was not. The stolen mail contained protected health information, including names, addresses and handbooks with a generic overview of care plans. Social security numbers, medical record numbers, medical services descriptions, health status, financial information or account data was not included in the mail.
A former employee of Vail Valley Medical Center copied physical and occupational therapy records containing PHI records of 3,118 patients onto two USB thumb drives while employed with VVMC, according to an official statement. The employee proceeded to take the data with him when he left to begin with another employer. The company learned of the theft through an investigation in December 2015, according to the statement. The stolen data included names, ages, date and amount of payment for services and some clinical information, including conditions and treatments. No credit card information, dates of birth or social security numbers were included. "VVMC has demanded and obtained the return of both electronic storage devices, along with a signed certification from the former employee that he's not retained copies or otherwise provided any of the data to any other person or company," the official statement said. The incident has been reported to law enforcement and is still under investigation.
American Fidelity Assurance Company notified its customers of a potential breach involving personal data. According to an official statement, debit card substantiation letters were sent to some patients on February 15, 2016 and due to a mailing error some customers were sent data intended for other patients. The letters may have included the name, address, employer information, providers, payment information and the last four digits of the debit card number of patients. Officials say social security numbers weren't included in the information. While they don't believe misuse use of the information is likely, all affected customers have been made aware of the mistake out of caution. American Fidelity is offering customers a year of credit monitoring and identity protection services.
PHI data from 3,184 Wyoming Medical Center patients could be at risk after the organization discovered an unauthorized third-party had access to two organizational emails, the company announced on its website. According to the statement, the unauthorized party only had access to the emails for about 15 minutes, and there's no evidence the data was viewed or copied during that time. While the company feels there's "little risk" to patients and no evidence exists to suggest any data has been access, it informed all affected patients by mail. The officials said if the data was viewed, the party would have been able to view names, patient information, medical record numbers, account numbers, hospital service dates, dates of birth and limited medical information. "Wyoming Medical Center took immediate steps to secure the email accounts," the statement said. "Wyoming Medical Center has reported this event to the Office for Civil Rights, the government agency that oversees HIPAA privacy compliance."
Pain Treatment Centers of America in Arkansas and Interventional Surgery Institute reported a 2015 breach in April that could affect up to 19,000 patients, according to the organizations. Officials said in a statement hackers gained access to the institution's EHR files on the network through data servers owned and operated by Bizmatics. The data breach included patient medical records such as name, address, health insurance data, an driver's license and or ID numbers. Some social security numbers were stolen. However, officials said no financial or credit card data was stolen. "We've learned Bizmatics became aware of the incident in late 2015, but neither Bizmatics, law enforcement, nor the cyber forensics firm is able to pinpoint the precise date on which the attack began," the official statement said. "Bizmatics has communicated to us it believes the incident began in early 2015. We have no reason to believe our patient files were the target of the hackers’ attack on Bizmatics. Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker." (Photo: Interventional Surgery Institute, via Google)