Providers in California, Michigan, Mississippi Admit HIPAA Violations

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

In three recent cases across the U.S., health care providers acknowledged that data breaches may have exposed their patients' protected health information (PHI).

The Michigan-based community service organization Oakland Family Services recently acknowledged that an employee's email account was breached by a phishing attack in July 2015, potentially exposing more than 16,000 clients' PHI.

The information potentially exposed includes names, client ID numbers, dates of services, types of services, diagnoses, addresses and birthdates. In 173 cases, Social Security numbers may also have been exposed. All those affected are being offered one free year of access to Experian's ProtectMyID service.

The organization says the attacker only had access to the victim's email account for 23 minutes, and used that access to send a phishing email to all of the victim's contacts. "However, based on the amount of time the unauthorized user was in the account and the time it would take to create and send the phishing email, we are very confident that none of the PHI was accessed," Oakland Family Services said in a statement [PDF].

In response to the breach, all staff email passwords were changed, all staff will now be required to change their passwords every three months, and staff have now been trained on how to maintain email security and how to avoid phishing scams. Oakland Family Services' IT department is also in process of adding multi-factor authentication for staff email accounts.

California's Sutter Health recently began notifying 2,582 of its patients that a former employee emailed billing documents containing their personal information to a personal account without authorization more than two years ago, on April 26, 2013.

The discovery was made when Sutter Health conducted a review of the former employee's email activity and computer access "after learning of possible improper conduct by the former employee," the organization said in a statement. The employee worked for Sutter Health's billing arm, Sutter Physician Services.

The billing documents included patient names, birthdates, insurance identification numbers, dates of service and billing codes. In one case, the patient's Social Security number and California driver's license number were included, and in one other case, the patient's California driver's license number was included.

All those affected are being offered one year of free access to credit monitoring services.

"We believe protecting patients’ health information is the responsibility of every employee," Sutter Health chief medical officer Stephen Lockhart said in a statement. "We require employees to sign confidentiality agreements. In addition, we train them to follow privacy and information security policies and regulations. We deeply regret this incident occurred."

In a similar incident at Merit Health Northwest Mississippi, a former employee removed documents containing patient information from the hospital over a two-year period from early 2013 until mid-2015. On July 1, 2015, the hospital was notified by law enforcement that the employee was under investigation for identity theft.

"Following notification by law enforcement, the Hospital opened an internal investigation," Merit Health said in a statement. "In order to prevent any further removal of documents or unauthorized computer access by the employee, the Hospital terminated the employee’s access to buildings and computers and suspended the employee. This person is no longer employed by the Hospital."

The information taken by the employee included 846 patient names, addresses, birthdates, Social Security numbers, health plan numbers and clinical information.

Recent eSecurity Planet articles have examined the challenges of fighting insider attacks and the importance of offering security training to employees.