Nebraska Medicine learned that a member of its staff got access to patients’ healthcare data without any authorized work reason for a time period of about three months.
Nebraska Medicine uncovered the privacy violation while doing a scheduled review of its healthcare record system. The review showed that the employee’s initial access to the patient files happened on July 11, 2019 and continued the access until October 1, 2019 when the provider found out about the privacy violations.
Upon learning about the breach, steps were done to stop continuing unauthorized access as the inquiry of the incident was in progress. The staff involved was terminated a day after the knowledge of privacy violations.
As per a statement issued by Nebraska Medicine, the affected persons were sent notifications via mail and anybody who had his/her Social Security number possibly exposed got free credit monitoring services for one year as a preventative measure.
Nebraska Medicine is convinced that no sensitive data was or might be misused, meaning that the employee was merely interested in viewing the information. The number of people affected at this time is not sure.
The breach notice letter mailed to affected individuals mentioned that the types of data potentially compromised includes names, birth dates, addresses, Social Security numbers, driver’s license numbers, medical record numbers, clinical details, doctors’ notes, laboratory test findings, and medical photos.
Phishing Attack at Presbyterian Healthcare Services
Presbyterian Healthcare Services reported in August 2019 the exposure of a number of employees’ email accounts because of a phishing attack.
Presbyterian Healthcare Services knew about the incident on June 9. The investigators mentioned that the compromised email accounts stored 183,370 patients’ protected health information (PHI). Even though the provider already delivered notification letters, the breach investigation kept going. Presbyterian Healthcare Services today knew that the incident was wider in scope than formerly believed. The affected email accounts covered 276,000 patients’ sensitive data.
Additional notices were delivered to affected patients on November 25. The notification letters mentioned that there was no proof showing that any PHI was viewed, downloaded or improperly used. It was furthermore established that solely the email system was compromised. The attackers had not gained access to healthcare data or its billing program.