Employee Error Exposes Over 10,000 Patients' Personal Data

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The personal information of more than 10,000 patients was recently exposed online due to an error by medical billing services provider PST Services, a subsidiary of McKesson.

PHIprivacy.net reports that the breach exposed the personal data of 10,104 patients of Georgia's 24 On Physicians, as well as 520 patients of the Williamson Medical Center in Tennessee and 680 patients of Illinois' Midwest Orthopaedic Center.

In a notice on its Web site, Midwest Orthopaedic states, "On June 6, 2014, McKesson reported that one of its former affiliates had unintentionally made records containing MOC patient information potentially accessible on the Internet. McKesson indicated that the information was accessible using very specific Google search terms between December 1, 2013, and April 17, 2014."

In Midwest Orthopaedic's case, the potentially exposed data included patient names, insurance information, diagnosis codes, and in some instances, Social Security numbers.

"We deeply regret any inconvenience this may cause our patients," the notice states. "To help prevent something like this from happening in the future, we are re-enforcing with our vendors the importance of handling patient information securely."

In a separate but similar breach, Alabama's Diatherix Labs recently began notifying 7,016 patients that their personal information may have been exposed when the company's billing services provider, Diamond Computing Company, mistakenly made one of its servers accessible online beginning on September 24, 2011 (h/t Becker's Health IT & CIO Review).

Access to the server wasn't terminated until July 10, 2014.

The information potentially exposed includes patient names, account numbers, addresses, test dates and insurance information, and in some cases, Social Security numbers, birthdates and diagnosis codes.

In response to the breach, Diatherix says it has confirmed that Dimaond Computing has destroyed or secured all Diatherix patient information, contacted search engines to request that all personal health information be removed from their files, and initiated "a security review of other, similar Diatherix vendors who have access to PHI to confirm their security procedures."

Of course, medical billing services providers aren't the only companies experiencing these types of data breaches.

The personal information of more than 9,000 students at Ohio's Forest Hills School District, including their student identification numbers, home addresses and parents' email addresses, was mistakenly emailed to most district parents last month (h/t DataBreaches.net).

District communications coordinator Erika Daggett told Cincinnati.com that the breach occurred when the information was mistakenly attached to a back-to-school notification, and that officials responded immediately to the breach. "We shut down all the systems that required student ID numbers, so no one would be able to access anything," she said.

CBC News reports that Canada's Central Health recently acknowledged that a privacy breach had taken place when 52 patients' personal health information was faxed to a 1-800 number instead of a 1-866 number by mistake. "The faxes went to the email of one person, who said they did not view the files, nor were they shared with anyone else," the report states.

And the U.K.'s Lincolnshire County Council mistakenly attached a document containing 4,000 people's names and email addresses to an email sent to 250 people (h/t DataBreaches.net).

"We are in the process of notifying and apologizing to all those affected, and are looking again at whether there are any additional steps we can take to help prevent this happening again," council chief information and commissioning officer Judith Hetherington Smith told The Lincolnite.

One of those additional steps should be security awareness training for all employees -- a recent Enterprise Management Associates (EMA) survey found that more than 56 percent of employees (at organizations ranging from fewer than 100 employees to more than 10,000) have not been provided with any such training.

"The potential cost of employees making poor security choices due to lack of awareness and understanding may go unrecognized until it becomes an actual cost of breach reparations," the EMA report warns.

A recent eSecurity Planet article offered several tips on how to offer security awareness training that works, from providing specific examples of security mistakes to targeting the training to meet each employee's needs.