So far in November, the HHS OCR has posted four healthcare breaches on their breach portal, three of which were reported on the same day. These three healthcare PHI breaches are discussed below.
Healthcare PHI Breaches: People Incorporated Breach Affected 27,500 Patients
People Incorporated offers mental health services to patients across Minnesota. On November 6, People Incorporated reported that they had experienced an email breach affecting 27,500 patients. Through an investigation, they determined that an unauthorized individual had access to their email network from April 28 to May 4.
The protected health information (PHI) that was compromised by the breach included names, dates of birth, addresses, treatment information, insurance information, and medical record numbers. A limited number of individuals’ Social Security numbers, financial account information, health insurance information, and driver’s license or state identification numbers were also exposed.
In a press release announcing the incident, People Incorporated stated, “Since the date of this incident, People Incorporated has taken steps to improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future, including implementing additional technical safeguards and providing additional training and education to People Incorporated employees on identification and handling of malicious emails.”
To read the press release, please click here.
Healthcare PHI Breaches: Seeley Enterprises Company Affected 16,196 Patients
On September 7, Seeley discovered that an unauthorized entity had gained access to their network. Upon discovery, Seeley contracted a third-party computer forensic specialist to help them with an investigation. Through the investigation, they determined that the unauthorized entity had access to their network from August 31 to September 7. The incident compromised the PHI of 16,196 patients.
Information exposed in the incident included patient names, addresses, phone numbers, medical record numbers, Social Security numbers, and prescription information.
In a press release, Seeley states, “Seeley takes this incident and the security of personal information seriously. Upon discovery, Seeley immediately launched an investigation and took steps to secure its systems and investigate activity. Seeley worked diligently to investigate and respond to this incident and to identify and notify potentially impacted individuals. Seeley is also reviewing and enhancing existing policies, procedures, and processes related to storage of and access to personal information. Seeley is also reporting this incident to relevant state and federal regulators as required. Seeley is notifying potentially impacted individuals so that they may take further steps to best protect their information, should they feel it is appropriate to do so. Seeley is also providing credit monitoring for potentially affected individuals.”
To read the press release, please click here.
Healthcare PHI Breaches: Conway Regional Health System Affected 2,945 Patients
Conway Regional Health System, a healthcare provider in Arkansas that offers health services including COVID testing, announced an email breach affecting 2,945 patients. The breach occurred when an unauthorized individual gained access to an employee’s email account.
The PHI exposed by the breach included patient names, birthdates, treating physician, positive and negative COVID-19 diagnoses, and email addresses.