Saint Francis Healthcare Partners in Connecticut is informing 38,529 patients about the potential compromise of some of their protected health information (PHI) due to a sophisticated cybersecurity incident that permitted an unauthorized person to access to its email system.
The attack happened on December 30, 2019 however the forensic investigators only determined the potential compromise of patients’ protected health information on March 20, 2020. The attacker could have accessed the following types of information kept in the email system: names, medical record numbers, medical histories, clinical and treatment data, dates of service, diagnoses, account numbers, health insurance provider names, prescription information and/or types of procedures completed. There was no compromise of any financial information or Social Security numbers.
The investigation discovered no evidence that suggests the access, theft or misuse of patient information. Saint Francis Healthcare Partners already took steps to improve data security practices and notified all affected patients by mail.
Ransomware Attack on Florida Internal Medicine Practice
Daniel Bendetowicz, MD, PA is notifying 3,314 patients about the exposure of their protected health information as a result of a ransomware attack. The attack happened on March 25, 2020 causing the encryption of its computer systems, which include patient records. The attack did not affect the backup files so recovery was possible without the need to pay the ransom.
In these types of ransomware attacks, the attackers typically do not access the files prior to file encryption; nevertheless, it’s not possible to rule out data access so the company sent notification letters to affected patients. Dr. Bendetowicz revealed in the breach notification letters that there was a potential compromise of patient names, addresses, dates of birth, Social Security numbers, medical information and health insurance details.
As a safety precaution, Dr. Bendetowicz offered identity theft protection services to all affected patients and took steps to improve security to avert more attacks in the future.
Email Error Resulted in Ascension Eastwood Clinic Breach
An employee of Ascension Eastwood Clinic located in Southfield, MI sent an email to patients on April 15, 2020 explaining the transition of the practice to provide telehealth services because of COVID-19 to help avoid the spread of the disease.
There was an error made when sending the email. The employee did not put the patients’ email addresses on the BCC field of the email, therefore other patients can view the email addresses of the patients. Due to the error, email addresses and, in several cases, patients’ full names were visible to other patients. Aside from allowing a patient to be recognized as a patient of the clinic, there was no other information exposed.
The HHS’ Office for Civil Rights breach portal shows that the breach affected 999 patients.