Healthcare Data Breaches at Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center based in Yreka, CA, began sending notifications to some patients about the potential access of some of their protected health information (PHI) by unauthorized individuals online.

In July 2020, a third-party security company informed Fairchild Medical Center regarding a misconfigured server, which made it accessible over the web. With the help of third-party computer specialists, the medical center learned that unauthorized people may have gotten access to patient information.

The server held medical images with patient names, birth dates, exam identification numbers, patient identification numbers, names of ordering provider, and dates of exam. The misconfiguration happened on December 16, 2015 and was only corrected on July 31, 2020. A third-party security firm verified the security of the server after making necessary changes.

A forensic investigation couldn’t ensure whether unauthorized persons accessed patient data when the server was accessible, but the possibility couldn’t be excluded.

Mismailing Incident Reported by Harvard Pilgrim Health Care

Harvard Pilgrim Health Care is sending a notification to 8,022 persons regarding a software error in its enrollment data management system. The error caused the association of a person’s mailing address with another address connected to the health plan of that person. Because of the error, a number of mailings were misdirected to the address of a subscriber of the individual’s health plan or to a previous address. Harvard Pilgrim Health Care traced back the problem to an error that happened in 2013.

The types of information that may have been breached varied from mailing to mailing and possibly included the name of the member, ID number, birth date, telephone number, provider names, service dates, treatment details, deductibles, charges for services, co-pay amount, and co-insurance data associated to healthcare coverage.

The problem has now been solved and the procedure of system updates has been evaluated and enhanced. Affected people were instructed to verify their Activity Summaries and to submit a report on any dubious entries to Harvard Pilgrim right away.

Indian Health Council Inc Encounters Ransomware Attack

A ransomware attack on Indian Health Council Inc. based in Valley Center, CA occurred in September 2020 resulting in file encryption that possibly impacted patients’ PHI. Indian Health Council knew about the cyberattack on September 22, 2020 and hired independent computer forensic professionals to assist with the investigation.

An evaluation of the files the attacker had access to revealed that some had patient data included like names, dates of birth, health data, and health insurance details and, for certain persons, data about medical conditions, treatment, or diagnosis details.

Following the ransomware attack, Indian Health Council Inc changed passwords and strengthened security to avoid other attacks. It also enforced additional measures or controls like remote access and multi-factor authentication.

All patients affected by the breach already received notification. The breach report filed with the Office for Civil Rights indicates that the attack potentially impacted 5,769 people.