HIPAA Health Report: More Data Breaches

HIPAA Health Report: More Data Breaches

by ih-coc admin

Additional data breaches have occurred within the healthcare industry again. This time it was Presbyterian Healthcare Services, based in New Mexico. The protected health information (PHI) of 183,000 patients and health plan members has been exposed. It’s worth pointing out that this has taken place less than three months after it was discovered that over 4.91 million documents containing personally identifiable information (PII) of addiction rehab patients were exposed by a misconfigured ElasticSearch database publicly accessible for more than two years, from mid 2016 to late 2018.

 Presbyterian Healthcare Services had fallen victim to a massive phishing campaign that apparently took place in May. Then, in that same month, Perry County Medical Center - part of Three Rivers Community Health Group - was also breached. Here’s what we know at the time of writing.

Presbyterian Healthcare Services Data Breach

According to HIPAA Journal, on or around May 6, 2019, several Presbyterian Healthcare Services employees received phishing emails. Some of those employees opened and actually responded to those emails - tricked into disclosing their credentials to the email sender. The attacker was then able to use their credentials to gain access to patients’ names, dates of birth, and Social Security numbers.

Because of the way successful phishing campaigns often work, Presbyterian Healthcare Services did not become aware of the data breach until June 9th. As a result, approximately 21% of Presbyterian Healthcare Services patients and plan members have been impacted.

Three Rivers Community Health Group Data Breach

An “unauthorized individual” gained access to the email account of an employee of Three Rivers Community Health Group, and may have viewed patient information that included names, dates of birth, dates of service, physicians’ names, prescription information, health insurance group, and ID numbers. The breach was discovered on May 28th, and it affected 3,812 patients. No additional information is known at the time of writing.

A Reminder About HIPAA Compliance

It’s worth noting that in a previous article, we talked about the various fines and penalties associated with violating HIPAA regulations. Even fines for “no knowledge of noncompliance” (honest mistakes that are corrected in a timely fashion in good faith) can really hurt a company or organization. But the worst damage of all is inflicted on your patients. Ensuring your employees are following HIPAA regulations to the letter can prevent people’s lives from being destroyed. If you choose to work in the healthcare field, the Hippocratic Oath - the oath doctors take to uphold specific ethical standards and “do no harm” - should be followed by everyone. Identity theft has the potential to ruin lives almost as much as any illness - especially in a time when medical coverage is treated as a luxury that not everyone can afford.

Whether you’re a doctor or a data entry clerk, “do no harm” should be the mantra for every employee in the medical industry. Train your workforce and reinforce best practices.

HIPAA Training

We’re here to help you train your workforce.  Call us today at 800-733-6379 to schedule a free, initial consultation or check out our training resources.