Two serious breaches of patients’ protected health information have been discoveredd in Texas and Pennsylvania.
Email Account Compromised at Midland Memorial Hospital
Midland Memorial Hospital has suffered a breach of a a number of patients’ protected health information. Over 1,000 patients are thought to have been affected.
Midland Memorial Hospital found that an unauthorized person gained access to the email account of a staff member at the hospital, in what seems to be an attempted Business Email Compromise (BEC) campaign. The focus of the attacker seemed to be to trick employees into making bank account transactions to an inappropriate bank account.
The violation was identified on October 13, 2017, with access to the email account thought to have been gained around October 10. Upon discovery of the security breach, access the email account was switched off and a full investigation was completed. The email account was found to contain some protected health information including first and last names, medical record details, account numbers, and information regarding radiology procedures that had been completed at the hospital in the time between August and September 2017. No financial data, driver’s license numbers, or Social Security numbers were accessed, and no proof has been uncovered to suggest any patient data has been used inappropriately.
Midland Memorial Hospital has taken measures to stop further incidents of this nature from happening, including reviewing policies and procedures and retraining employees.
Hard Drive Missing from Washington Health System Greene
Washington Health System Greene is warning 4,145 patients that some of their protected health information has been left open for access after a hard drive was found to be missing.
A portable external hard drive used with a bone densitometry machine in the Radiology department was found to be missing on October 11, 2017. While the hard drive may have been simply misplaced, a search of the hospital did not locate the device and its loss has been reported to the Pennsylvania State Police Department as a possible theft.
The device stored information on patients who attended the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was restricted to names, height, weight, race, and gender, while some patients also had records of health issues, the identity of their prescribing physician, and medical record numbers saved on the device. No financial data, Social Security numbers, insurance details, or other highly sensitive information was open to be accessed.
Patients have been notified of the breach in line with HIPAA requirements. Due to the restricted nature of data exposed, even if the device has been illegally taken, Washington Health Greene does not feel patients are in danger of identity theft or fraud.