Breaches Reported by St. Luke’s Health-Memorial Lufkin, Iowa Total Care and RiverPointe Post Acute

CHI St. Luke’s Health-Memorial Lufkin in Texas began sending notifications to patients about the potential unauthorized access of some of their protected health information (PHI).

An investigation of a data breach by the threat management team of St Luke’s was conducted on March 25, 2020. Third-party experts performed a forensic investigation and confirmed on April 23, 2020 that an unapproved outside party potentially accessed two employees’ email accounts.

The investigators did not find any evidence supporting unauthorized access or theft of data, however, the possibility cannot be eliminated. The email accounts held information such as names, diagnosis data, facility account numbers, and dates of services. According to the investigation, St. Luke’s is convinced that no patient data was used inappropriately. However, certain patients received offers of free credit monitoring services via Experian as a precautionary measure.

St. Luke’s investigated the security breach extensively, checked data access logs, and performed a threat intelligence analysis. The provider reset all passwords across the facility, changed and upgraded hardware, improved security by making changes to software, and modified processes for network access.

The HHS’ Office for Civil Rights has not published the breach yet on its breach portal, hence the number of patients affected by the breach is still uncertain.

PHI of 11,500 Iowa Total Care Members Compromised Due to Email Error

Iowa Total Care learned that an employee impermissibly disclosed the PHI of thousands of patients. On April 29, 2020, the employee emailed an Excel file that contains claims information to a big provider organization. The Excel file enclosed the PHI of patients that had not gotten healthcare at the organization.

The spreadsheet included 11,581 patients’ names, birth dates, Medicaid ID numbers, procedure and diagnosis codes. Iowa Total Care is a HIPAA covered entity hence is informed of the requirement to secure PHI and has stated that the Excel file was deleted and it was not copied or shared.

Iowa Total Care has re-trained the involved employee and carried out more safety measures to avert the same mistakes in the future.

633 Patients’ PHI Lost at RiverPointe Post Acute

RiverPointe Post Acute Carmichael, CA informed 633 nursing home residents about the exposure of some of their PHI. The provider sent a USB storage device that contains names, some Social Security numbers and insurance ID numbers by mail but the device went missing in transit. The postal office was informed about the loss prompting a search for the storage device, but it cannot be found.

Although no particular evidence was discovered to suggest the device was taken by an unauthorized person, affected people were offered free identity theft protection services as a safety measure. Additional training on data security is being given to employees.