Data Breaches on New England Dermatology and Alaska Department of Health and Social Services

New England Dermatology has begun informing 58,106 patients regarding the compromise of some of their protected health information (PHI). In a breach notice last April 30, 2021, New England Dermatology stated that its in-house pathology laboratory was responsible for the inappropriate disposal of specimen bottles resulting in a privacy breach.

The laboratory ought to have been delivering the specimen bottles for shredding or incineration because the specimen bottles had labels printed with the patient’s information and covered by the HIPAA Rules; but, they were thrown away as normal trash. The data on the bottles contained the first and last names of patients, dates of birth, name of the provider who collected the specimen, dates of specimen collection, and body part where the specimen was obtained. No other data was printed on the labels. A waste contractor servicing the building collected the normal trash, which included the specimen bottles, and brought them to the landfill.

The improper disposal occurred on February 4, 2011 and kept on until the discovery of the HIPAA violation on March 31, 2021. The information of any person whose specimen(s) was tested by its pathology laboratory during that time potentially had been exposed. New England Dermatology is not aware of any instances of actual or attempted patient data misuse.

Because of the breach discovery, New England Dermatology immediately changed its policies and procedures and provided more training to its staff members.

Malware Attack on Alaska Department of Health and Social Services

On May 18, 2021, the Alaska Department of Health and Social Services (DHSS) reported that a malware attack on its website, dhss.alaska.gov. DHSS took its website offline on May 17, 2021 to avert harming its servers, databases and systems, and the website will stay offline until the remediation of the attack and its complete investigation.

Besides the primary DHSS website, there are other systems taken down such as its background check system, the Alaska vital records system, the behavioral health and substance abuse management system, Case Management System for TANF work activities, and the system employed by schools to submit vaccine data report for public health purposes.

The DHSS doesn’t know how much time the investigation will need nor the time its systems will stay offline. It is not known who made the attack and the reasons of the threat actors. Additional information will be provided to the public when information regarding the attack is affirmed, which includes whether PHI was compromised.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA