Orlando Health, Cuesta College, Firekeepers Casino Acknowledge Data Breaches


Three separate organizations in very different industries -- Florida's Orlando Health, California's Cuesta College and Michigan's Firekeepers Casino -- recently acknowledged data breaches affecting a total of more than 92,000 people.

Orlando Health announced on July 2, 2015 that a breach discovered on May 27, 2015 exposed approximately 3,200 patients' personal information, the Orlando Sentinel reports.

A former employee apparently accessed the records inappropriately, though there's no evidence at this point that any of the data was copied or used illegally.

The data accessed includes names, birthdates, addresses, medications, medical tests, test results, the last four digits of Social Security numbers, and other clinical data. In approximately 100 cases, insurance information may also have been accessed.

Those affected include some patients at the Winnie Palmer Hospital for Women & Babies, the Dr. P. Phillips Hospital, and a limited number of patients treated at Orlando Regional Medical Center between January 2014 and May 2015.

"We are continually evaluating and modifying our practices and the practices of our employees to enhance the security and privacy of all confidential and protected health information entrusted to us," the organization said in a statement. "We are also re-educating our workforce members and increasing our already vigilant program of auditing and monitoring of patient record access."

As the Orlando Sentinel notes, previous breaches at Orlando Health include the potential exposure of 586 children's data when a flash drive was misplaced in January 2014, and the theft of patient records by a former medical assistant in February 2013.

Cuesta College recently announced that on May 31, 2015, a college human resources analyst on medical leave allegedly downloaded reports containing approximately 4,000 current and previous employees' personal information, then emailed the reports to a personal email address.

The information potentially exposed includes names, Social Security numbers, birthdates, mailing addresses, phone numbers and email addresses.

The breach was discovered on June 9, 2015, and all current and former employees were notified by email and mailed letters on June 11, 2015.

"The college is reviewing current policies for individuals out on all forms of leave, as well as those who have remote/off-site database access," Cuesta College said in a statement. "It is important to note that this was not a hacking or security/firewall breach, but an unauthorized use of information by a college employee."

"This person has a clearance to use the databases in the course of their job, but this person went beyond their authorization," Cuesta College president Gil Stork told the San Luis Obispo Tribune.

And Firekeepers Casino, which had previously announced an investigation into a "possible security incident" involving the point-of-sale systems for its casino, hotel, restaurants and shops, announced on July 3, 2015 that the investigation had "confirmed details of a recent security incident involving unauthorized access into our computer system."

"While the investigation is still ongoing, it appears that approximately 85,000 credit and debit cards used between September 7, 2014, and April 25, 2015 for food, beverage and retail purchases may have been affected," the casino said in a statement.

The information accessed may include card number, cardholder name, verification code, and/or expiration date.

On May 6, 2015, FireKeepers discovered that there may also have been unauthorized access to a file storage server, which held some customers' Social Security numbers and/or driver's license numbers, as well as some current and former employees' Social Security numbers and/or driver's license numbers, health benefit selection and medical billing information.

All those affected are being offered free credit monitoring and identity protection services from AllClear ID.

Recent eSecurity Planet articles have examined the challenges of fighting cybercrime and offered advice on improving data security.