5,000 Patients’ PHI exposed in Two Separate Breaches

Separate breaches of patients’ protected health information have been exposed at Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA.

The Washington Health System Greene organization is contacting 4,145 patients to advise them that some of their protected health information has been exposed after a hard drive could not be found at their premises.

An external hard drive used with a bone densitometry machine in the Radiology department could not be found on October 11, 2017. While there is a chance that the hard drive may have been misplaced by a staff member, a thorough search of the hospital did not uncover the device in question, and the missing device has been reported to the Pennsylvania State Police Department as a possible theft.

The device contained date on patients who visited the hospital for bone density scans and treatment between 2007 and October 11, 2017. The information stored on the device included names, height, weight, race, and gender, while some patients also had details of health problems, the name of their prescribing physician, and medical histories stored on the device. No financial data, Social Security numbers, insurance details, or other highly sensitive information was exposed in any manner.

Patients have been notified of the breach. Due to the limited type of data exposed, even if the device has been stolen with ill intent, Washington Health Greene does not believe patients are at risk of identity theft or further fraudulent activity.

Midland Memorial Hospital Email Accounts Compromise

A breach of a limited amount of patients’ protected health information has been experienced by Midland Memorial Hospital. In excess of 1,000 patients are believed to have been affected.

An unauthorized individual gained access to the email account of an employee at Midland Memorial Hospital, in what looks like an attempted Business Email Compromise (BEC) attack. The aim of the attackers was to entice employees to making bank account transfers to an inappropriate bank account.

On October 13, 2017 the breach was discovered , with access to the email account seemingly gained on or around October 10.  Upon locating the security breach, access the email account was disabled and a full investigation was initiated. The email account was seen to contain some protected health information including names, medical record numbers, account numbers, and information relating to radiology procedures that had been completed at the hospital between August and September 2017. No financial private information, driver’s license numbers, or Social Security numbers were exposed, and nothing has been uncovered to suggest any patient information has been used for improper aims.

 

Author: Security News