PHI Exposed at Medical Oncology Hematology Consultants and Health Net of California Breaches

Medical Oncology Hematology Consultants (MOHC), a Newark,DE based cancer treatment center, suffered an email security breach that lead to the compromise of the protected health information (PHI) of some patients. MOHC published a substitute breach notice on its website stating that the email breach took place between June 7 and June 8, 2018. The notice did not mention the date when the breach was discovered. But according to the investigation that run until March 14, 2019, patient data was exposed because of the breach.

Third party computer forensics experts investigated the incident along with the email host provider. Though no report suggests the misuse of patient data, it’s not possible to completely rule out data access and theft.

The compromised data included names, government ID numbers, birth dates, Social Security numbers, financial information, and health information. MOHC already alerted the affected patients and offered them free credit monitoring membership and associated services for one year.

MOHC took extra measures to reinforce its email security, for instance, the use of a safer site for getting emails from external sources, employing other malware blocking solutions, a suspicious email monitoring system and email encryption. Employees likewise had extra HIPAA training on security awareness. A system was also added to notify employees in case they sent emails that had unencrypted sensitive information.

This is MOHC’s second report of a large data breach in two years. The first happened in September 2017 after a ransomware attack on MOHC afflicted 19,000 patients. There is still no report on the exact number of patients affected by the latest breach.

A coding error on a mailing by Health Net of California resulted in the impermissible disclosure of PHI of subscribers.

While doing a mail merge, the coding error caused the letters to be misaligned. Hence, the printed letters with the PHI of subscribers were not mailed to correct subscribers. The coding error took place on March 1 and impacted mailings up to March 12, 2019.

Because of the error, the data elements that were compromised included names, birth dates, Health Net ID numbers, group numbers, health plan names, dependents’ names and ages, primary care doctor’s name and address, and the last four digits of dependents’ social security numbers.

Health Net of California already fixed the coding error and has applied better procedures for future mailings, which include a few testing scenarios and a checklist to ensure there are no errors and if there’s any, corrective measures are done prior to mailing the letters.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA