Ohio Living and Tucson Medical Center Breaches Exposed 8.200 Patients’ PHI

Ohio Living, which is a firm providing life plan communities and home health services, discovered that an unauthorized individual accessed some of its employees’ email accounts. On July 10, 2018, Ohio Living noticed the suspicious activity in an employee’s email account. It was inspected right away by a third-party computer forensics experts to find out the specifics of the breach and how the unauthorized individual was able to access the account. On July 19, 2018, the investigators informed Ohio Living that there were several compromised email accounts on July 10 and the accounts were accessed by the unauthorized person.

It was not possible to know if the attacker accessed or downloaded any messages. Examination of the emails revealed they comprised 6,510 individuals’ protected health information (PHI). As soon as Ohio Living knew about the breach, all the passwords of the compromised accounts and all other employees’ email accounts were reset. Ohio Living’s employees were provided additional training to increase security awareness and avert email breaches from occurring once more.

On September 4, 2018, the computer forensics specialists told Ohio Living that the following patient data were included in the emails: the names, contact information, financial details, Social Security numbers, birth dates, Patient ID numbers, health insurance details, medical record numbers, clinical information, medical information, diagnosis and treatment information.

As of yet, there’s no information about the inappropriate use of any PHI. Nevertheless, as a protective measure, Ohio Living provided free credit monitoring and identity theft protection services to all affected patients.

TMC Healthcare, a firm that operates Tucson Medical Center in Arizona, discovered a data breach involving paper files that contain the PHI of 1,776 patients. The files were usually locked and secured in a storage facility, but on July 12, 2018, it was found that the suite was accidentally left unlocked.

The suite was instantly secured to make certain that the files are inaccessible and the incident was investigated to find out the length of time the files had been left unprotected, and which patients’ data had been compromised.

TMC Healthcare found that the paper records were likely accessed for a time period of no longer than 15 days. Files kept in the suite had information of the patients’ names, addresses, dates of birth, Social Security numbers, medical record numbers, insurance ID numbers, provider data, diagnoses, treatment details, prescribed medicines, test data and other clinical details.

TMC Healthcare believes that no file was accessed by unauthorized individuals at the time the files were unsecured. Nevertheless, all individuals potentially impacted by the breach were notified by mail. The breach was also reported to the HHS’ Office for Civil Rights.

The employees in charge of the secure storage and safekeeping of the files with PHI got extra training. To protect the patients against identity theft and fraud, they were provided free credit monitoring and identity theft protection services for one year.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA