Recently Reported Data Breaches Could Affect Thousands of Patients
July 27, 2015 in News
Several U.S. health care organizations recently have disclosed data breaches, potentially affecting thousands of individuals.
Meritus Health Data Breach
Meritus Health in Maryland has notified 1,029 individuals that their information could have been compromised after an employee at one of the medical center’s vendors might have accessed their data outside of normal job functions, Health IT Security reports.
The hospital uncovered the breach on May 4 during “routine compliance and self-audit efforts.” The inappropriate data access likely occurred between July 2014 and April 2015.
Potentially compromised data included:
- Health insurance information;
- Medical record numbers;
- Social Security numbers; and
- Treatment and/or diagnostic information.
Financial information was not affected by the breach.
The medical center said there is no evidence that the information has been misused.
Meritus Health has suspended the employee’s access to its system and launched an investigation. In addition, the medical center is “working to further strengthen controls related to vendor access to patient information” and “enhancing its existing system monitoring capabilities with regard to vendor access” (Snell, Health IT Security, 6/30).
OhioHealth Riverside Methodist Hospital Data Breach
OhioHealth Riverside Methodist Hospital is notifying nearly 1,000 individuals about a potential data breach after an unencrypted thumb drive with patient information went missing, the Columbus Dispatch reports.
The thumb drive was last used on an OhioHealth computer on April 14 and was labeled missing on May 29.
The thumb drive holds data on patients who were valve-replacement candidates or had taken part in research projects on the procedure between July 2010 and December 2014. Information on the device included:
- Insurance companies;
- Medical record numbers;
- Referral and treatment dates; and
- Types of procedures.
The thumb drive also has clinical information and Social Security numbers for some patients.
OhioHealth said it does not believe that the thumb drive was stolen or that its data have been used inappropriately.
However, the health system said it has suspended use of thumb drives in the department where the thumb drive was lost. In addition, OhioHealth plans to implement encrypted thumb drives systemwide (Sutherly, Columbus Dispatch, 7/27).
Orlando Health Data Breach
The breach was discovered on May 27 during a routine patient record access audit (Jayanthi, Becker’s Health IT CIO Review, 7/6).
It is unclear what data were viewed, but the patient records included:
- Medical tests and results;
- Names; and
- The last four digits of Social Security numbers (Snell, Health IT Security, 7/6).
The employee, who has since been fired, also may have accessed insurance information on a “limited number” of patients.
The health system said there is no evidence that the data have been used or removed from the hospital.
Orlando Health said, “We are … re-educating our workforce members and increasing our already vigilant program of auditing and monitoring of patient record access” (Becker’s Health IT CIO Review, 7/6).
University of Pittsburgh Medical Center Data Breach
The incident was discovered on June 4 and reported to HHS on July 2.
Information in the file included:
- Insurance plan types;
- Member identification numbers;
- Phone numbers; and
- Primary care physician office names.
The file did not contain Social Security numbers or medical histories.
William Gedman, chief compliance officer at UPMC’s insurance services division, said, “Based on our ongoing investigation, we will make all changes necessary to further enhance our already stringent privacy protections” (Snell, Health IT Security, 7/16).