The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

5 Healthcare Providers Suffer PHI Breaches

The Edinburg, TX-based internal medicine specialists, ASAS Health, have recently notified 25,527 individuals about a hacking incident that exposed some of their sensitive protected health information. Suspicious network activity was detected on March 9, 2023, and immediate action was taken to secure the network. A forensic investigation confirmed that hackers had access to parts of its network that contained patient information. The breach notifications do not disclose the nature of the incident or for how long the hackers had access to its systems.

ASUS Health said it was not possible to definitively determine if patient data was accessed or stolen, but data may have been compromised. The review of the affected files confirmed they contained information such as names, date of birth, addresses, phone numbers, email addresses, driver’s license numbers, Social Security numbers, diagnoses, disability codes, Medicare ID numbers, and health plan carrier information.

The breach report that was sent to the Maine Attorney General indicates credit monitoring services have been offered. Affected individuals have also been advised to monitor their accounts and report any suspicious activity, and to be wary of phishing attempts and emails and documents allegedly sent from ASUS Health. ASUS Health said it will continue to refine its security protocols and maintain a robust information security program.

Methodist Family Health Affected by Data Breach at Business Associate

Little Rock, AR-based Methodist Family Health has confirmed that patient data was exposed in a security breach at one of its business associates. The business associate was used to provide pharmacy services and was provided with patient data to perform the contracted duties.  The business associate detected a security breach on March 6, 2023, and the investigation confirmed its systems were accessed on March 4, 2023.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Methodist Family Health has confirmed that the unauthorized access has been blocked and additional security measures have been deployed to prevent similar incidents in the future. The compromised documents contained information such as names, addresses, birth dates, admission/treatment dates, account numbers, diagnoses, service charges, and medication information.  The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 5,259 individuals.

People Incorporated of Sequoyah County Suffers Ransomware Attack

People Incorporated of Sequoyah County (People Inc), a Sallisaw, OK-based provider of behavioral health, addiction recovery, and anger management services, has discovered an unauthorized third party gained access to the sensitive data of 8,725 current and former patients in a recent ransomware attack.

The incident was detected by People Inc on March 6, 2023, and the forensic investigation confirmed that an unauthorized individual had access to certain systems between March 2, and March 6, 2023, during which time files were exfiltrated that contained patient data.  The files contained names, Social Security numbers, care plans, scheduling information, and billing information.

Notification letters have recently been mailed and affected individuals have been offered complimentary credit monitoring and identity theft protection services. People Inc said it has strengthened system security to prevent similar incidents in the future.

Email Account Breach at Lake County Health Department and Community Health Center

Lake County Health Department and Community Health Center in Illinois have notified 1,700 patients that some of their personal and health information has potentially been compromised due to an email security breach. The security incident was detected on March 6, 2023, and the investigation confirmed that an email account had been accessed by an unauthorized individual.

A third-party digital forensics firm was engaged to investigate the incident and found no evidence of data transfers from the email account; however, unauthorized access to patient information could not be ruled out. The review of the account revealed the email account contained partially de-identified PHI concerning Lake County residents who may have had a communicable disease or a disease that was part of a cluster or outbreak that was investigated by the health department between April 23, 2012, and March 6, 2023.

The exposed information included one or more of the following types of information: names, addresses, zip codes, date of birth, gender, phone number, email address, medical record number, diagnoses or conditions, lab results, and other treatment information. Additional email security safeguards have now been implemented and further cyber security training has been provided to the workforce.

Oyate Health Center Notifies Patients About Impermissible PHI Disclosure

Oyate Health Center in South Dakota has discovered an unintended impermissible disclosure of the protected health information of 575 patients. The information related to pharmacy visits between August 31, 2021, and September 8, 2021.

When Oyate Health Center moved to a new clinic location, boxes of surplus supplies were donated to community organizations. On March 7, 2023, one of those organizations opened one of the boxes and found a weekly pharmacy visit report, which was a list of patients with their chart number, date of visit, and a diagnosis code related to the prescription they were filling. The list was seen by two people at the non-profit organization, and the list was then locked in a secure location until it could be collected.

Under HIPAA this is classed as an impermissible disclosure. Oyate Health Center said it has no reason to believe the list was viewed by anyone else and does not believe the information has been missed. In response to the incident, new internal controls, policies, and procedures have been implemented and the affected individuals have been notified.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist