Healthcare Data Breaches Expose 65,000 People’s PHI

Three different healthcare providers recently acknowledged that data breaches may have exposed a significant amount of sensitive medical information.

The Medical Colleagues of Texas notified approximately 50,000 people that their protected health information (PHI) may have been exposed when the medical group’s computer network was hacked, HealthITSecurity reports.

The potentially exposed data includes patients’ medical records and employees’ personnel files, including names, addresses, Social Security numbers and health insurance information. All those affected are being offered one free year of access to credit monitoring services from Equifax.

In response to the incident, the medical group says it has updated its computer network, strengthened its firewalls, and implemented two-factor authentication for remote access. “We are also providing additional training and strengthening our policies and procedures in regards to the protection of sensitive personal information,” Medical Colleagues said in a statement [PDF].

Separately, the drug and alcohol abuse treatment program for New Mexico’s San Juan County was recently hacked, potentially exposing as many as 12,000 patients’ names, addresses, health assessments, medications and other treatment methods, Modern Healthcare reports.

The breach, which took place on March 18, was discovered within 30 minutes, the county said. While there’s “no evidence that this information was accessed by the intruder or removed from the computer,” the county is offering free identity protection services to all those affected.

County Attorney Doug Echols told the Farmington Daily Times that the county has $50,000 in insurance coverage for data breaches, and doesn’t expect its costs in response to the breach to exceed that amount.

And Wyoming Medical Center recently notified 3,184 patients that their protected health information may have been exposed when two employees fell for phishing schemes in late February, Becker’s Health IT & CIO Review reports.

Matt Frederiksen, the center’s chief compliance officer, told the Casper Star-Tribune that the breaches were detected within minutes when the compromised accounts began sending out spam.

“We knew right away,” Frederiksen said. “We started taking immediate action updating passwords and ensuring the third party was locked out.”

The potentially exposed data includes patient names, medical record numbers, account numbers, dates of service, birthdates and some medical information.

While the hackers never gained direct access to patient medical records, the compromised email accounts held patient data. “We had to go through each individual email to identify which patients this could affect,” Frederiksen said.

A recent Peak 10 survey of 157 C-level executives and IT professionals at healthcare organizations found that respondents gave their security programs an average of a B- grade. Thirty-two percent of respondents gave themselves a C.

The survey also found that 67 percent of respondents are planning to increase their IT budgets in the next two years. While cyber security is increasingly important, the survey found, many organizations find it hard to address adequately given their current talent and team bandwidth.

“Technology is changing at a rapid rate, and while it is making patients’ lives easier, it is also increasing the amount of information that is at risk of falling into the wrong hands,” Peak 10 vice president of governance, risk and compliance David Kidd said in a statement.

According to the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, fully 89 percent of healthcare organizations have experienced a data breach within the past two years.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles