Data Breaches at the Center for Health Care Services and North Ottawa Community Health System

Center for Health Care Services (CHCS) based in San Antonio, TX encountered a cyberattack that resulted in computer systems de-activation during the holiday period.

CHCS provides individuals with developmental handicaps, mental health problems, and substance abuse disorder with healthcare services. It has a couple of outreach centers and walk-in clinics in San Antonio.

After federal officials alerted CHCS about the cyberattack, its IT team claimed the cyberattack only affected one server. As a safety measure, CHCS opted to power down its computer system. Immediate action was taken by the IT department to fix its computer systems. Though doing the repair might take several days, computer access will be available again one at a time, starting with the systems used in its largest centers.

This is just one of the cyberattacks that started during the holiday season. There is no figure yet regarding the number of organizations impacted.

North Ottawa Community Health System Insider Breach

North Ottawa Community Health System (NOCH) learned that one staff at North Ottawa Community Hospital based in Grand Haven, MI, viewed patients’ healthcare records without permission for approximately 3 years.

Another staff informed NOCH about this issue on October 15. On October 17, NOCH investigated the alleged inappropriate access and suspended the staff involved while the investigation is pending.

On November 25, 2019, it was confirmed by NOCH that the patient records of 4,013 persons had been accessed without authorization by the employee starting May 2016 up to October 2019. The unauthorized access appeared to have no clear pattern. Patient medical records were accessed at random.

There’s no evidence found in relation to the theft of patient data. NOCH is positive that employee’s unauthorized access to patient data was only due to curiosity.

The employee possibly viewed these types of data: names, Social Security numbers, birth dates, Medicaid and Medicare numbers, health insurance information, and limited health information. NOCH provided patients who had potentially compromised Social Security numbers free 12-months credit monitoring and identity theft protection services.

All hospital system employees had further training about NOCH policies dealing with health record access. NOCH also added stricter controls on employee’s access to patient records.

NOCH had submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights. It is OCR’s decision if the employee would be further charged for violating HIPAA rules.