Unsecured Databases, Unauthorized Vendor Access Cause Of Recent Breaches
By Megan Williams, contributing writer
Recent data breaches in Pennsylvania and Florida have been connected to unsecured databases and unauthorized vendor access.
The root causes of healthcare data breaches range from a lack of encryption (like we saw in the Anthem breach) to simple mistakes on the part of staff. Recently, we’ve seen a mixture of issues popping up across the country.
An Unsecured Database In Pennsylvania
Einstein Healthcare Network in New Jersey recently announced an incident concerning its website request form. According to their notice, they learned on February 2 of this year the website database that housed information entered into their “Request for Information” form (a form that did contain patient information), had accidentally been left accessible through the Internet.
Einstein Healthcare immediately took action starting with an internal investigation which revealed the database contained patient names and phone numbers, reasons for request, physician names, and health information. No Social Security information or financial information was included, and the website was not connected to an EHR system.
Only patients who’d entered information into the site prior to February 2016 were affected and the hospital is reporting no knowledge any patient information has been improperly used. They have also notified their patients of the breach and provided contact information for those who did not receive a letter.
Florida Department Of Health Breached
Palm Beach County’s branch of the Florida Department of health released an announcement on April 11 stating “unauthorized disclosure and/or use of protected health information pertaining to some clients of its Health Centers” had occurred. The breach was brought to their attention by federal law enforcement officials who’d obtained a list of names, dates of birth, and Social Security and Medicaid numbers, as well as additional information, all from Palm Beach County Health Department clients.
Individual notices have been sent along with information on how to check credit history and report suspicious activity to law enforcement. Additional information regarding the Florida breach is available here.
Sacred Heart In Florida Experiences Another Breach
Just under 550 patients at Sacred Health System (also in Florida) have been notified about a PHI disclosure after a vendor was improperly granted access to their data. The breach happened at the American College Of Cardiology (ACC) where Sacred Heart contributes data on patients with cardiovascular issues to a national registry. The ACC was partnering with a software developer on a registry redesign and accidentally included a table of protected patient data in its testing processes.
The table included names, birth dates, and Social Security numbers, as well as patient identification numbers. Sacred Heart was notified on February 16 of the potential breach by the ACC software developer and released this statement,
“When ACC discovered this issue, it immediately terminated the vendor's access to the patient data. The ACC also obtained a written attestation from its vendor that the patient data has been destroyed and that the vendor did not retain copies. The software developer has also attested that its staff used the data only for purposes of their work for ACC.”
This is not Sacred Heart’s first vendor-related breach issue. One year ago, the facility notified their patients of a billing data breach related to one of its third-party billing vendors having an employee email user name and password compromised after an email hacking. In this case, patient names, dates of service, birth dates, diagnosis and procedure info, total charges, physician names, and billing account numbers for 14,000 individuals were compromised, along with Social Security numbers of 40 individual patients.
Moving Forward
It’s likely that your clients are vulnerable to similar issues and could benefit from a review of their current security state. To learn more, we recommend Why Your IT Clients Need A HIPAA Risk Assessment.