Data Breach of W Health MyChart Portal and Jones Family Dental Computers

University of Wisconsin Hospitals and Clinics Authority has announced a breach of its Epic MyChart website which impacted 4,318 patients of UW Health. The hospital detected strange activity in the website and launched an investigation on April 20, 2021, to find out the nature and magnitude of the data breach.

The investigation continued until May 4, 2021, and confirmed that unauthorized persons got access to the website for approximately 4 months, starting from December 27, 2020 up to April 13, 2021.

UW Health stated the person had accessed the MyChart patient website homepage which shows clinical data including dates of hospital admission, consultation reminders, care team, subject lines of emails from health providers, and requests to see new test results data. Pages were furthermore viewed that contained some patient consultation and admission dates, demographic data like names, addresses, telephone numbers, and email addresses, medical insurance and claims data, diagnoses, prescription drugs, and test results. Breach notification letters were mailed to impacted patients beginning on June 18, 2021.

UW Health also took the necessary steps to strengthen security like increasing password security, employing 2-factor authentication for the MyChart portal access, disabling accounts that were non-active for 15 months, and improving its tracking processes.

Hacking of the Jones Family Dental Computers

Jones Family Dental based in Ashland, OR, reported a hacking incident that potentially compromised the protected health information (PHI) of 6,493 present and past patients. An investigation was started after the recognition of suspicious computer activity, which showed that an unauthorized person accessed its computers from April 15, 2021 to April 18, 2021.

It cannot be determined if the computers with patient data were accessed, however, the likelihood cannot be eliminated. The practice doesn’t think any patient information was viewed or exfiltrated; nevertheless, it sent notification letters to impacted persons as a safety measure.

Patient data on the computer system during the breach contained these data elements: name, birth date, address, driver’s license number, treatment records, medical history, diagnostic data, and/or health/dental insurance details.

Security guidelines and procedures are under review and will be revised to stop the same breaches down the road.