18 healthcare privacy incidents in January

  • Small
  • Medium
  • Large

Numerous privacy incidents at health IT suppliers, hospitals and other healthcare organizations captured public attention last month.

While media outlets reported on the following breaches in January, healthcare organizations experienced breaches as early as February 2017.

Here are 18 incidents covered by Becker's Hospital Review in January.

Note: The incidents are presented in order of number of patients or organizations affected.

1. The Tulsa-based Oklahoma State University Center for Health Sciences mailed letters Jan. 5 to nearly 279,865 Medicaid patients after it learned an unauthorized third party gained access to some folders stored on its computer network in November.

2. Florida's Agency for Health Care Administration notified 30,000 Medicaid enrollees their personal information may have been compromised when one of the agency's employees was the victim of a phishing email attack.

3. Elizabeth, Va.-based Coplin Health Systems notified roughly 43,000 patients after a hospital-issued laptop was stolen from an employee's car in early November.

4. Louis-based SSM Health notified at least 29,579 patients whose records were inappropriately accessed by an employee in the customer service call center between Feb. 13 and Oct. 20, 2017.

5. A limited amount of patients' personal information may have been exposed when Framingham, Mass.-based Charles River Medical Associates discovered an unencrypted, portable hard drive was missing from its bone density testing workstation in November 2017. The hospital notified 9,000 patients of the incident.

6. The personal information of 8,256 patients at Kalamazoo, Mich.-based Bronson Healthcare Group may have been exposed when the organization's email system was hit with a phishing attack, though no medical records were compromised.

7. Ransomware crippled Allscripts Professional EHR and electronic prescribing services in a Jan. 18 attack that left nearly 1,500 clients without access to key EHR functions for up to eight days.

8. Escondido, Calif.-based Palomar Health notified 1,309 patients who visited the hospital between Feb. 10, 2016, and May 7, 2017, that an emergency department nurse accessed their health records without a medical reason to do so.

9. About 1,200 patients who were treated in the emergency room, Same Day Surgery Center or Urgent Care site at the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas between July 17, 2017 and Oct. 16, 2017 and received a signed DJO Global patient product agreement form when they received their DJO product may have had their personal information exposed in a mailing error.

10. Philadelphia-based Penn Medicine mailed letters to roughly 1,000 patients, alerting them to a potential compromise of their personal information after an unencrypted laptop was stolen from the hospital.

11. Newport Beach, Calif.-based Pedes Orange County, a clinic that shares its facility with another medical group to conduct surgical procedures, notified 917 patients after a physician accessed its EMR database without permission and disclosed the materials to their attorney in November.

12. Miracle-Ear and Best Hearing Products notified 554 of Best Hearing Products' clients that their personal health information may have been exposed when an unknown and unauthorized intruder gained access to the email account of an employee who provides support to Miracle-Ear Oct. 24.

13. Greenfield, Ind.-based Hancock Health paid hackers a $55,000 ransom after files on part of its network were locked Jan. 11. According to an investigation into the incident, patient data was not transferred outside of the hospital's network.

14. Pascagoula, Miss.-based Singing River Health System fended off hackers who attempted to launch a cyberattack on its computer systems Jan. 15.

15. Decatur, Ind.-based Adams Health Network was struck by a ransomware attack Jan. 11 that targeted some of its computer servers. At the time of the attack, AHN did not believe patient files had been accessed.

16. A limited number of information services at Wellsville, N.Y.-based Jones Memorial Hospital were offline for an unspecified number of days following a cyberattack in early January.

17. Boxes containing medical records from the now-closed MD Medical Spa and Wellness Center in Hyannis and Norwell, , were found on the side of a road in New Bedford, Mass., Jan. 14.

18. One of Park Ridge, Ill.-based Advocate Lutheran General Hospital's desktop computers was reported stolen Jan. 8 after a man claiming to live in the Philippines called the hospital to say he bought the machine at a resale shop and needed help unlocking it. The computer was not used to store patient data and was encrypted with advanced security software.

More articles on cybersecurity:

Epic introduces 3-part functionality for data collaboration
HIMSS, American College of Clinical Engineering present 'Excellence in Clinical Engineering' award to Axel Wirth
Emory researchers use AI to predict sepsis onset in ICUs

Copyright © 2021 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars