Here’s a handy summary of the most recent physical data breach in the healthcare industry announcements over the last month. If you’re interested in learning more about measures you can take to minimize the risk of your facility ending up on this list, we can help.
A former nurse at Palomar Health inappropriately accessed the medical records of patients staying at Palomar Medical Center Escondido over a 15-month period ranging from February 10, 2016, to May 7, 2017. According to a statement from the facility, 1,309 patients will be notified that the breach included first and last names, genders, dates of birth, diagnoses, medical record numbers, medications and allergies, and treatment locations. The four patients for which the breach was most potentially severe will be offered identity-protection services for free. It is believed that nothing was done with the information.
Missouri-based SSM Health has recently reported that an employee accessed patient records without authorization while working in the customer service call center. It launched an internal investigation on October 30, 2017, but hasn’t revealed how it knew to begin an investigation into the employee’s behavior. While the employee accessed information from multiple states, it appears the focus was on a “small number of patients with a controlled substance prescription and a primary care physician within the St. Louis Area.”
The Center for Health Care Services in San Antonio, TX began notifying 28,434 patients of a data breach after one of its former employees removed PHI from the mental health and substance abuse facility on a personal laptop computer. The information included dates of birth, names, addresses, Social Security numbers, diagnoses, death certificates, medical record numbers, and more.
A computer stolen from UNC Dermatology and Skin Cancer Center has jeopardized the records of 24,000 patients. The practice has already begun notifying affected patients of the breach and believes that information including names, addresses, phone numbers, employment status, birthdates, and social security number may have been jeopardized. The hospital has also encouraged patients to monitor and review their credit in addition to offering a free year of credit monitoring protection services.
Langone Health in New York City finds itself notifying about 2,000 patients after its cleaning company mistakenly recycled a binder that contained presurgical insurance authorizations. Information that might have been jeopardized includes dates of service, diagnoses, names, dates of birth, current procedural terminology codes, insurer names and IDs, and in some cases related comments. The hospital currently has no indication that the information has been misused but since the documents weren’t shredded before being disposed of they are offering the affected patients a free year of identity theft protection along with cyber monitoring.
Lowell General Hospital launched an investigation into a single employee accessing an EHR without a medical reason and found that over 750 patient records had been breached. Information accessed is believed to have included diagnoses, names, dates of birth, and other treatment-related information. Social security numbers, financial information, and insurance policy information was not accessible to the employee.
The University of Alabama at Birmingham has begun breach notification procedures after an exposure incident at its Viral Hepatitis Clinic. Two USBs that were used to transfer information from a Fibroscan machine that evaluates liver disease turned up missing on October 25. Information at risk includes date of birth, diagnoses, gender, names, date and time of exam, numbers, and images associated with test results and in a few cases, referring physician. The hospital has already issued a letter to affected patients and believes that the risk of potential harm remains low. Still, officials have offered anyone affected a year of free credit monitoring and reporting.
Chilton Medical Center in Northwestern, NJ learned in October that an employee had removed a hard drive from the hospital and sold the drive online in December. The health system began notifying affected patients who had visited the facility between May 2008 and October 15, 2017, that their PHI had been compromised. Information at risk included names, addresses, medical record numbers, dates of birth, medications, and allergies. The hospital learned that the employee also removed other devices to sell in a similar fashion, but those devices are not believed to have contained patient information.