Patient Information Exposed Due to Superior Air-Ground Ambulance Service Data Breach and a Stolen TimeDoc Laptop

PHI of 858K Individuals Exposed in Superior Air-Ground Ambulance Service Data Breach

Superior Air-Ground Ambulance Service provides ambulance and Emergency Medical Services (EMS) in Michigan, Indiana, Illinois, Ohio, and Wisconsin. It reported the exposure and theft of the protected health information (PHI) of 858,238 patients because of a cyberattack in May 2023.

The healthcare company discovered suspicious activity in its IT system in May 2023 and took prompt action to segregate those systems and started an investigation to discover the origin of the activity. On June 23, 2023, there was unauthorized access to its network from May 15 to May 23, 2023, and during that time, an unauthorized actor extracted files from its system.

Superior Air-Ground Ambulance Service then carried out a detailed and time-intensive analysis of the affected files to find out the people impacted and the types of information that were breached or stolen. After that process was done, the Superior Air-Ground Ambulance Service worked on acquiring updated contact data to mail notification letters. Because of the number of persons affected, that procedure has taken a substantial period; nonetheless, notification letters were sent to the impacted people on behalf of themselves and pertinent associated covered entities and subsidiaries.

The types of information affected differed from person to person and may have contained name, address, birth date, Social Security number, driver’s license or state ID number, financial account details, payment card data, patient record details, medical diagnosis or condition data, medical treatment data, and/or medical insurance details. The impacted persons were instructed to stay wary against incidents of identity theft and fraud by looking at their explanation of benefits, free credit reports, and account statements. It appears that no credit monitoring and identity theft protection services were offered.

Superior Air-Ground Ambulance Service mentioned it has undertaken steps to better secure the privacy and security of data in its safety, such as going over and changing its guidelines and procedures and employing more security actions. This is done to ensure compliance with HIPAA regulations.

Stolen Laptop from TimeDoc Contains Patient Data

Virtual care management service provider TimeDoc recently advised 1,880 patients concerning the stolen laptop computer that contained their PHI on March 13, 2024. A TimeDoc employee was on public transport when the laptop computer was stolen. The laptop has password protection, but it was not encrypted.

The employee changed his password to minimize the chance of unauthorized data access and reported the theft to authorities. An analysis of the patient data downloaded to the laptop was done, which confirmed the inclusion of names, birth dates, chronic illnesses, and the names of providers where patients got treatment. The impacted medical providers were informed regarding the data breach from April 5 to 8, 2024. Affected patients also received individual notifications by mail. Steps were taken to enhance laptop security to avoid the same occurrences later.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X