Recent data breaches include an employee workstation hack putting 270,000 patients at risk, New England Baptist suffering data breach in the midst of merger talks, and cybercriminals phishing in Black River Medical Center.

June 21, 2018 – A healthcare data breach at Med Associates, a Latham, NY-based health billing company, may have exposed PHI on more than 270,000 people, reported the Times Unionnewspaper.

In an announcement on its website, Med Associates said that it noticed March 22 “unusual activity” on an employee’s workstation and determined, with help from its IT vendor and a third-party forensic investigation firm, that PHI may have been access by an unauthorized party.

The information included patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes, and insurance information, including insurance ID numbers.

Med Associates did not provide the number of individuals affected in its announcement.

“Upon learning of this incident, we immediately secured the impacted workstation, implemented even more stringent information security standards and have increased staff training on data privacy and security,” it said.

Med Associates President Catherine Alvey said that the company is providing free credit monitoring services to those impacted and informed OCR about the breach on June 14. So far, it has not been posted on the OCR website.

NEBH REPORTS EMAIL HACK THAT EXPOSED PHI ON 7,582 PATIENTS

New England Baptist Hospital (NEBH) reported to OCR June 12 an email hack that resulted in exposure of PHI on 7,582 patients.

In a public notice* emailed to HealthITSecurity.com, NEBH said it determined that a patient list of a retired NEBH surgeon was mistakenly used to mail out notices about developments at a private orthopedic practice.

“During our investigation, we determined that on April 19, 2018, a list of the retired surgeon’s patients was sent to the private orthopedic practice, which the surgeon had originally referred his patients to upon retirement. In addition, in a separate incident, on March 19, 2018, the retired surgeon requested and received a copy of his previous patient list from NEBH. By forwarding this information, an NEBH employee impermissibly provided names and addresses for individuals who may not have continued to receive care from the private orthopedic practice. The list did not include any diagnostic, treatment, clinical, personal, or financial information regarding any patient.”

Back in 2008, the healthcare provider notified the Massachusetts Office of Consumer Affairs and Business Regulation that it experienced a paper data breach that affected 10 state residents.

According to the Boston Globe, a check forgery ring obtained checking account and identity information of the patients and cashed bogus checks totally around $3,000 for each victim.

NEBH is part of a merger deal being negotiated between Beth Israel Deaconness Medical Center of Boston and Lahey Health system of Burlington, the Boston Globe reported last month. The two sides have agreed to the name for the merged Massachusetts healthcare provider, Beth Israel Lahey Health.

“The name Beth Israel Lahey Health signifies a new beginning while harnessing the strength of our revered legacies,” Beth Israel Deaconess Medical Center CEO Kevin Tabb said in a statement.

Whether the recent data breach at NEBH will impact the merger talks remains to be seen.

*This data breach item has been updated with the NEBH public notice information.

BLACK RIVER MEDICAL CENTER SUFFERS EMAIL HACK EXPOSING PHI

Missouri-based Black River Medical Center (BRMC) said June 13 that an employee’s email account was breached as the result of a phishing attack and that PHI on patients may have been accessed by the attackers.

Information that might have been accessed included patients’ names, addresses, phone numbers, and treatment information, but not Social Security numbers or financial/billing information.

BRMC discovered the breach on April 23.

“At this time, there is no evidence that the unauthorized party actually accessed or viewed any patient information in the email account, and Black River is not aware of any misuse of patient information,” the statement related.

EX-EMPLOYEE STEALS MORE THAN 1,000 MEDICAL RECORDS FROM VA HOSPITAL

The VA Medical Center in Long Beach, California, said that medical records on more than 1,000 patients were stolen by Albert Torres, a former employee, the Press-Enterprise reported June 15.

Police discovered patient records, including names, dates of birth, and Social Security numbers, in Torres’ car after he was pulled over April 12 for driving a vehicle on the VA campus with suspicious license plates.

In the vehicle, they also found medications that he apparently stole from the VA facility. Police searched his apartment, where they found hard drives and flash drives with more patient data, as well as $1,000 in cleaning supplies he apparently stole from the hospital.

Torres pled guilty to identity theft and grand theft in a Long Beach court on May 14 and was sentenced June 4 to three years in prison.

“While there is no indication of any veteran identification information being used fraudulently, VA will send letters to all 1,030 potentially impacted veterans and provide 12 months of free credit-monitoring services,” the VA facility said in a press release.