PHI Breached at Quantum Imaging and Therapeutic Associates, US HealthCenter and Delaware Department of Health and Social Services

The radiology practice Quantum Imaging and Therapeutic Associates in Pennsylvania announced that there were reports received regarding the non-physician personnel who allegedly shared with a Facebook group an x-ray photo of a male patient’s genitalia.

The sharing of medical pictures on social channels without patient permission violates patient privacy and HIPAA. Quantum released a message on Facebook confirming the reports received regarding a privacy breach and stated that Quantum is fully committed to maintaining the privacy of its patients and is greatly disheartened by the reports. No more specifics were revealed concerning the breach while waiting for the investigation results. The Fairview Township police have been informed about the issue and launched an investigation, however, there are no arrests yet at this stage. A number of people have commented on the Facebook post claiming the picture can be viewed by ‘thousands’ of persons.

US HealthCenter Identified an Email Account Breach

The US HealthCenter, a health risk management corporation, uncovered that an unauthorized person had accessed an email account and might have viewed or gotten the personal and protected health information (PHI) of members of the Cost Plus World Market’s (Cost Plus) Wellness Program.

The breached email inbox was employed to get the participants’ completed Annual Preventive Screening affidavits. Queries from Wellness Program participants concerning the program were likewise mailed to the email account. US HealthCenter found out about the unauthorized access on April 13, 2020 when the hacker used the account to send out phishing emails to members of the Cost Plus wellness plan. When the account was accessible, the unauthorized individual can view and forward emails.

The evaluation of messages in the account revealed they held members’ names, dates of birth, physician signatures, dates of exams, limited medical data and employee numbers.

US HealthCenter secured the account instantly and currently hosted the email account on a new Microsoft Office 365 platform, which provides better security protections with multi-factor authentication. There is no evidence found that suggests the misuse of personal information.

Delaware Department of Health and Social Services Identified Impermissible PHI Disclosure

The Delaware Department of Health and Social Services discovered a spreadsheet that contains protected health information was shared with four students unintentionally.

Four seniors at the University of Delaware requested data with regard to a project to identify service gaps in the community and got a spreadsheet. The information required by the students included the age range of people and their disability status. The identifying information was not removed prior to sharing the spreadsheet. The students had viewed the full names of 350 people, their diagnoses, birth dates, and county details.

The students provided a presentation of their report over Zoom on May 8, showing the included patients’ PHI as well. The Delaware Department of Health and Social Services quickly ended the presentation upon seeing that protected health information was included. The students were instructed to erase the data and the staff who provided the spreadsheet was reprimanded.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA