BLUE CROSS AND BLUE SHIELD OF NORTH CAROLINA
(BCBSNC) – 2,337 MEMBERS
In two separate incidents, Blue Cross and Blue Shield of
North Carolina members’ information was disclosed by printing errors. In the first, members’ invoice information – including
names, addresses, internal BCBSNC account numbers, group numbers, coverage
dates, and due premium amounts – was printed on the backs of other members’
invoices by mistake. In the second, members received payment letters that
included other members’ information, such as “health plan purchased, effective
date, health insurance marketplace identification number, payment amount,
telephone number and payment identification number”.
AFFINITY HEALTH PLAN – 721 MEMBERS
A similar incident affected Affinity Health Plan.
Affinity sent appointment reminders to 721 members in August, telling them to
make an appointment “to complete a Child Health Plus renewal application”.
Owing to a printing error, the reverse of the letters contained different
patient information, including other children’s names, unique Affinity member
identification numbers, and addresses. No medical or health information was
disclosed.
BARRINGTON ORTHOPEDIC SPECIALISTS – 1,009
PATIENTS
A laptop and EMG machine were stolen from a vehicle
belonging to Barrington Orthopedic Specialists between August 14 and 18,
potentially exposing the names, dates of birth, and EMG results and reports
pertaining to 1,009 patients.
SENTARA HEART HOSPITAL – 1,040 PATIENTS
Two encrypted hard drives containing backups of
electronic patient notes – including patient names, unique medical record
numbers, dates of birth, procedure dates, diagnoses, procedures, surgeon and
staff names, allergies, notes, and medications relating to procedures performed
– were stolen.
OU HEALTH/ENVISION RX – 540 HEALTH PLAN
MEMBERS
Thanks to another mailing error, 540 health plan members
received letters containing other members’ claim information, including “first
and last name, date of service, name of drug and dosage, cost of prescription,
member [copy], and Plan paid amount. The information did not include the other
member’s demographic, financial information or Social Security Numbers.”
EMERGENCE HEALTH NETWORK – 11,100 PATIENTS
In August, Emergence Heath Network – the local mental
health authority for El Paso County – discovered a data breach dating back to
2012, potentially compromising patients’ first and last names, their addresses,
dates of birth, Social Security numbers and case numbers, and information
relating to the services they used. No medical records were held on the
affected server.
UNIVERSITY OF OKLAHOMA COLLEGE OF MEDICINE
DEPARTMENT OF UROLOGY – 9,300 PATIENTS
A laptop that “may have included limited patient
information […] such as patient name, diagnosis and treatment codes and dates
(most between 1996-2006), date of birth or age, a brief description of a urologic
medical treatment or procedure, medical record number, and the treating
physician’s name” was stolen from a former employee of the University of
Oklahoma Department of Urology in August.
CAREPLUS HEALTH PLANS – APPROXIMATELY 1,400
PATIENTS
WTSP reports that
an “error while processing statements might have led to a breach of personal
information for clients of CarePlus Health Plans.” Approximately 1,400 members’
names, addresses, and CarePlus identification numbers were sent to other
recipients when a “machine was programmed to insert two premium statements per
envelope — instead of just one”, resulting in “some statements being sent to
the wrong member.”
HUMANA – 2,800 MEMBERS
Wisconsin health insurance company Humana has reported
the theft of an encrypted laptop containing information pertaining to
approximately 2,800 Medicare Advantage members along with hard-copy files –
which included the names, dates of birth, and clinic names of about 250 of
those members – from an employee’s vehicle.
NEW YORK CITY HEALTH AND HOSPITALS
CORPORATION (HHC) – WOODHULL MEDICAL AND MENTAL HEALTH CENTER – 1,581 PATIENTS
A laptop containing 1,581 patients’ “medical record
number, test results and narrative physician summary” was stolen from a patient
examination room at the Woodhull Medical and Mental Health Center.
NEPHROPATHOLOGY ASSOCIATES – 1,260 PATIENTS
Information including patients’ “first and last name,
patient age at the time of treatment, Nephropath accession number, referring
physician, and pathology diagnosis” was “inadvertently transmitted […] to a
vendor via unsecured e-mail.” The vendor was informed and instructed to destroy
the information.
NORTH CAROLINA DEPARTMENT OF HEALTH AND HUMAN
SERVICES – 1,615 PATIENTS
A North Carolina DHHS employee inadvertently sent an
unencrypted email to the Granville County Health Department. “Attached to the
email was a spreadsheet containing information relating to individual Medicaid
recipients. The information in the email included the individual’s first and
last name, Medicaid identification number (MID), provider name and provider ID
number, and other information related to Medicaid services.”
BAPTIST HEALTH AND ARKANSAS HEALTH GROUP –
6,500
Two former employees of Baptist Health and Arkansas
Health Group downloaded patient information without permission, which they took
to their new practice, Bray Family Health. They then used the information to
contact patients about Bray Family Health. Information included “patient names,
addresses, telephone numbers, dates of birth, gender, race, ethnicity,
rendering provider, referring provider, and the date that patients were last
seen by one of our health care providers”.
JOHNS HOPKINS MEDICINE – 571 PATIENTS; 267
RESEARCH SUBJECTS
An unencrypted laptop containing “limited information
about 571 patients with cancer seen at The Johns Hopkins Hospital between 2006
and 2014 and about 267 people who participated in a research study on a rare
genetic disorder between 2008 and 2015” was stolen from a Johns Hopkins
physician at an airport. Patient data “was limited to the patient names, the
dates seen at The Johns Hopkins Hospital, the names of patients’ physicians,
one- to three-word diagnoses and medical record numbers—but not their
contents—of the patients with cancer. For study participants, the information
included patient names, study identification numbers and, for subsets, dates of
birth, addresses, referring physicians’ names and comments on the disorder
stated in technical terms.”
ASPIRE HOME CARE AND HOSPICE – 4,278 PATIENTS
Aspire Home Care and Hospice (formerly Indian Territory
Home Health and Hospice) suffered a cyber attack in late July/early August
resulting in the compromise of 4,278 patients’ protected health care
information, “such as patients’ names, dates of birth, addresses, telephone
numbers, Social Security numbers, insurance information, prescription
information, patient identification/medical record numbers and certain
medical/clinical information.”
No comments:
Post a Comment