Several Health Entities Report Data Breaches Affecting Thousands
May 16, 2014 in News
Several data breaches and security issues recently occurred at health care providers and entities across the country. The breaches collectively affected the personal health information of thousands of individuals.
Details of Baylor Regional Medical Center Breach
Baylor Medical Center has notified 1,981 patients that their personal data were compromised when some members of the center’s staff responded to phishing emails, Clinical Innovation Technology reports.
The center on Feb. 24 learned that the emails were sent to a small number of affiliated physicians beginning on Jan. 23. Some of those physicians responded to the emails under the assumption that they were genuine internal requests, potentially creating an opening for unauthorized access to their email accounts, according to a notice from the hospital (Walsh, Clinical Innovation Technology, 5/14).
According to the notice, the physicians’ accounts may have contained patient information, including Social Security numbers in some cases.
Baylor notified affected patients on April 25 (Ellison, Becker’s Hospital CIO, 5/9). According to the notice, the hospital has established a call center to help patients with questions related to the breach, re-trained staff regarding phishing emails and is reviewing potential improvements to its technical safeguards.
The hospital said that there is no evidence that the information has been used improperly (Clinical Innovation Technology, 5/14).
Details of Catholic Health Initiatives Breach
Catholic Health Initiatives has filed a lawsuit against an unknown hacker alleging that the hacker for five days in March was able to reroute a large number of emails sent to physicians and other hospital staff members from patients and laboratories, Clinical Innovation Technology reports. The suit also claims that the hacker gained control of some of the hospital’s domain names.
The breach affected dozens of centers across 17 states and Washington, D.C. (Walsh, Clinical Innovation Technology, 5/13).
Details of DeKalb Health Breaches
Indiana-based DeKalb Health on April 29 announced that portions of patient data might have been exposed when a website server operated by a third-party vendor was targeted by an overseas attack, eSecurity Planet reports.
The hospital learned on Feb. 12 that 17 users of its online bill pay website may have had their personal information accessed, including credit card numbers and Social Security numbers in some cases.
The hospital notified affected users about the breach on March 26.
In a separate case, DeKalb recently discovered that hackers had created a fraudulent website that mimicked the site for the DeKalb Health Foundation. According to DeKalb, the hackers targeted patients with phishing emails and placed a link to the fraudulent site on DeKalb Health’s actual homepage.
Further, the facility in late March discovered that a second database on the compromised server also may have been accessed, possibly exposing data on 24 patients, including:
- Emergency contacts;
- Hospital ID numbers;
- Social Security numbers; and
- Other information.
DeKalb notified the affected patients on April 1.
Lastly, DeKalb also learned that a third database on the server might have been accessed, possibly exposing information about 1,320 infants born at the hospital.
The affected families were notified of the breach on April 24. DeKalb is offering all patients affected by the breaches one free year of identity monitoring services (Goldman, eSecurity Planet, 5/7).
Details of UMass Memorial Medical Center Breach
UMass Memorial Medical Center is notifying about 2,400 patients treated from March 2002 to March 2014 that an employee might have opened commercial accounts using the data of four patients, Health Data Management reports.
The employee accessed the information outside of his or her normal job duties, and the data “may have been used to open commercial accounts, such as credit card and cell phone accounts,” according to a medical center statement. Affected information could have included Social Security numbers, according to the center. While the employee had access to an additional 2,400 patients’ data, it does not appear that other data were misused.
The hospital is offering one no-cost year of credit monitoring and identity theft protection to the potentially affected patients (Goedert, Health Data Management, 5/6).