March's Reported Data Breaches: Another 120,000 Patients at Risk (So Far)

Original image courtesy of Wikimedia Commons user Frank C. Müller. Image has been cropped and stylized.

UPDATED 4/4/18

Another month, another hundred-thousand-plus patients who may have had their protected health information (PHI) compromised.

Healthcare entities must notify the Department of Health and Human Services Office of Civil Rights (OCR) of any breach compromising 500 or more patient records within 60 days of discovery. Many of the events reported in last month may have begun in months before and only been reported after internal investigations…and it’s common for reports to trickle in later in the following month.

So far, OCR’s website has posted 20 breaches that were reported in March. In all, over 120,000 patients may have had their PHI put at risk by these incidents. That number is likely to rise in coming weeks, so check back for an updated post…but in the meantime, here’s how it all went down.

Unauthorized Access/Disclosure Incidents: 70,247 Patients

Unauthorized access accounts for a lot of the breaches that reach OCR. So far, it leads the way in March’s total both in number of incidents (9) and patients exposed (69,506).

The 2 largest reported breaches came from the same health system, Barnes-Jewish in St. Louis, Missouri. The OCR portal lists both Barnes-Jewish Hospital (18,436 patients affected) and Barnes-Jewish St. Peters Hospital (15,046 patients affected) in separate incidents reported on March 12th. Between May 9^th, 2017 and January 23^rd, 2018, scanned patient documents were publically available online without required security clearances. The health system does not know whether any of the information was actually accessed, but it directed patients to a 1-800 number for questions.

The 3^rd largest breach affected the Special Agents Mutual Benefit Association health plan, which covers current or former federal employees. Nearly 14,000 subscribers’ family members were affected in the incident, which resulted from botched 1095-B forms being mailed out: Instead of containing descriptions of subscribers’ enrolled relatives, they instead just listed their Social Security numbers. The forms were mailed out on February 19^th and the issue was detected days later.

There was 1 more 5-digit plus unauthorized access breach: Primary Health Care in Iowa noticed on March 1^st that 4 of its employees’ emails had been accessed. It does not know what information, if any, was obtained, but as many as 10,313 patients might be affected.

Other unauthorized access incidents impacted North Texas Medical Center in Texas (3,350 patients), UnitedHealth Group Single Affiliated Covered Entity in Minnesota (1,755 patients), Arc of Erie County in New York (3,751 patients), John J. Pershing VA Medical Center in Missouri (1,843 patients), Front Range Dermatology Associates in Colorado (1,070 patients) and Walmart (741 patients)

Hacking Incidents: 42,263 Patients

Three hacking incidents were reported to OCR in March. The largest involved ATI Holdings, a national chain that runs physical therapy clinics. On January 11^th, the company says that it noticed that multiple employees had had their direct deposit information changed. They found that an actor had accessed those accounts through a phishing attack. One or more of the accounts contained a trove of patient information, driver’s license or state identification numbers, Social Security numbers, credit card numbers, financial account numbers, Medicare or Medicaid identification numbers, and various other pieces of PHI. As many as 35,136 people were impacted.

Another incident affected Cambridge Health Alliance in Massachusetts, although not much is known about it. The breach was discovered recently and it was officially reported that 2,280 patients were affected. According to The Boston Globe, hospital officials are unsure if the information—which all came from patients who received treatment in 2013—was made available by accident or through an intentional hack. The incident is currently the most recent on the OCR breach portal.

One more incident affected Serene Sedation in Maryland. 5,207 patients may have had their information exposed.

Loss/Theft: 9,171 Patients

The OCR website lists 4 straight electronic device losses coming out of Massachusetts—although CareMeridian (1,922 patients) is in California and Georgia MENTOR (1,015) is in, wait for it…Georgia.

But the 2 aforementioned institutions issued near-identical statements about “an unencrypted disk sent by a third-party software provider containing documents that included sensitive information appeared to have been lost in the mail.” Center for Comprehensive Services, Inc. and Mentor ABI, LLC are also listed as Massachusetts-based institutions that had data breaches involving roughly 1,000 patients each and attributed, like the first 2, to an “other portable electronic device.” All 4 are also owned by Boston’s National Mentor Holdings, Inc, which would indicate that the situations are connected.

There was 2 incidents of theft in March: inSite Digestive Health Care in California reported a “paper/films” theft on that may have impacted 1,424 patients, and Milligan Chiropractic Group in California reported a laptop containing information about 2,640 patients had been stolen. "Although the laptop was password protected and we are not aware of the misuse of any information, we could not rule out the possibility that your personal information, including your name, date of birth, clinic notes and progress notes may be at risk," the latter event's notification letter says.

Improper Disposal: 1,412 Patients

St. Francis Hospital in Georgia reported on March 14th that in mid-January, “some administrative documents intended to be shredded were inadvertently picked up and improperly disposed of with the Hospital's regular waste.” The documents contained PHI—including Social Security numbers and billing info—for as many as 1,412 patients.

Related Coverage:

After Failing to Avert Data Breach Lawsuit, CareFirst Gets Hacked Again

The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

Newly-Reported Incidents Put February's Compromised Patient Record Total Over 300k