Two HIPAA-covered entities announced the exposure of patients’ protected health information. The first is Washington Health System Greene in Waynesburg, PA. The other one is Midland Memorial Hospital in Midland, TX.
The protected health information of 4,145 Washington Health System Greene patients stored in a portable hard drive has been exposed when it was discovered to be missing on October 11, 2017. The storage device was used in the Radiology department when patients visit for bone density scans. The portable device might have been misplaced but the hospital staff cannot find it after a search of the premises. The missing device was reported as a potential theft to the Pennsylvania State Police Department.
The device kept the records of visiting patients from 2007 to October 11, 2017. The information stored included names, weight, height, gender and race. Some patients’ information such as details of health issues, medical record numbers and name of prescribing physician were included as well. No highly sensitive information such as Social Security numbers, financial information or insurance details was exposed.
The impacted patients had been sent breach notification letters to satisfy HIPAA requirements. Although Washington Health Greene believes that the risk of identity theft or fraud is low because of the limited nature of data exposed.
In the second data breach reported, over 1,000 patients of Midland Memorial Hospital had their PHI exposed. The breach was due to an unauthorized access to the email account of a hospital employee resulting from a Business Email Compromise (BEC) attack. It seemed that the attacker was trying to fool employees into transferring money from a bank account to an inappropriate bank account.
The unauthorized email access must have happened on October 10, 2017 while the breach was discovered on October 13. When it was found out, email account access was immediately terminated and the incident was investigated. The protected health information that must have been exposed included first and last names, account numbers, medical record numbers and information associated with radiology procedures conducted from August to September 2017. Any financial information, Social Security number or driver’s license numbers were not exposed. So far, no reports of misused patient information had been received. Midland Memorial Hospital had implemented measures to avoid similar incidents such as the review and revision of policies and procedures and staff re-training.