District Medical Group (DMG) in Arizona, which is an integrated medical group, has begun sending notifications to 10,190 patients regarding the possible compromise of their protected health information (PHI). On March 11, 2020, DMG found out that an unauthorized person had gotten access to some employees’ email accounts because of responding to phishing emails.
DMG straight away performed a password reset to block the unauthorized individual from logging into the accounts. A top cybersecurity company was involved to look into the breach. The investigation showed the compromise of some email accounts from February 4, 2020 to February 10, 2020.
A review of emails messages and attachments in the compromised accounts shown they included patient data like names, medical data, medical record numbers, and medical insurance information. The Social Security numbers of some patients were likewise potentially breached. There is no proof found that indicated the attackers opened or copied the email messages.
DMG cautioned the impacted patients to be wary and keep track of their accounts and statements for any indication of a fraudulent transaction. As a safety provision, the medical group provided free credit monitoring and identity theft protection services to individuals who had their Social Security numbers included in the accounts.
DMG has enhanced employee training and has taken steps to strengthen email security to avoid other breaches later on.
An employee of Geisinger Wyoming Valley Medical Center Terminated for Unauthorized Health Record Access
Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA learned that an employee was accessing patient health records without acceptable employment reasons.
GWVMC was informed of the possible HIPAA breach on March 20, 2020 and started an internal investigation. The worker was permitted to access patient files to finish daily work responsibilities, however, it was found out that the staff accessed the health records of 805 patients beyond those work responsibilities. The unauthorized access began in July 2017 and went on until March 2020.
The investigation failed to reveal any data that indicate the access of patient information with malicious intent. As a safety provision, GWVMC offered free credit monitoring and identity theft protection services to the impacted patients.
The employee accessed the following types of data: names, telephone numbers, physical addresses, email addresses, birth dates, Social Security numbers, health ailments, diagnoses, prescription drugs, consultation notes, dates of service, test data findings, and appointment data.
GWVMC took applicable disciplinary measures against the personnel for violating HIPAA rules and hospital policies. The personnel does not work at GWVMC anymore.