The Everett & Hurite Ophthalmic Association (EHOA) refers to a group of ophthalmology experts offering their services in Pittsburgh & Warrendale, PA. EHOA discovered an unauthorized person had accessed the email account of an employee and potentially accessed patient data.
EHOA knew about the breach on March 23, 2020 upon detecting suspicious activity in the email account of an employee. After making the account secure, third party forensic experts investigated the data breach. The investigation affirmed that only one email account was affected by the breach from February 25, 2020 to March 25, 2020.
A thorough analysis of emails and file attachments contained in the account showed they included the protected health information (PHI) of 34,113 patients. Most of the patients’ names were contained in an internal report that was submitted to the HHS’ Centers for Medicare and Medicaid Services (CMS). For some people, the following information was also exposed: Social Security number, financial information, medical insurance data, birth date, and health and treatment data. There is no evidence found that indicates the viewing or downloading of patient data by the individual who had account access.
EHOA already informed all affected patients, gave employees additional HIPAA training, and is working on policies and procedures enhancement to avert the same breaches later on.
Castro Valley Health, Inc. Reports PHI Exposure on Docker Hub
Castro Valley Health, Inc. found out that patient data was inadvertently transmitted to Docker Hub, a third-party website, and unauthorized individuals could have accessed the information.
The transmission of patient information happened from 2016 to 2017 but it was uncovered only on April 21, 2020. Docker Hub is a site for generating, managing and sending container applications and sharing of images between teams. The website stores uploaded files that included patient data like names, birth dates, medical record numbers, start dates of care, admission and visit dates, names of nurses who attended the patients, and names of physical/speech therapists. There were no Social Security numbers, financial data, or clinical/diagnostic information exposed.
Castro Valley Health stated that although there is potential access of data, the data cannot be read without deciphering first its heavy code. There is no evidence found that suggest the viewing or downloading of any patient information by unauthorized persons in the period it was compromised. The only individual known to have data access was the individual who identified the data breach and reported it to the HHS’ Office for Civil Rights.
Castro Valley Health has already sent notification to all people whose information was compromised and took steps to avoid the same breaches later on, such as reviewing policies and procedures, doing further security audits and risk analysis, and re-training employees.