Healthcare Data Breaches at Torrance Memorial Medical Center, Tandem Diabetes Care and Foundation Medicine

Breach of Patients’ Radiology Images at Torrance Memorial Medical Center

Torrance Memorial Medical Center (TMMC) in California found out that the security protections of a server being used by a third-party radiology vendor were removed thus allowing access to some patient data by unauthorized persons.

The radiology vendor sent TMMC a notification regarding the potential data breach on January 6, 2020. According to the investigators, the protections were removed by accident on June 20, 2019 and unauthorized persons could access the server until December 13, 2020.

It is believed that there is a low risk to the patients because radiology photos were just saved on the server for a brief time period. The photos on the server are deleted on auto-pilot every 24 hours. Nonetheless, the total number of medical images temporarily stored on the server during a 6-month period covers 3,448 patients. The radiology images contained information such as names, birth dates, gender, medical record number, accession number, and referring doctor’s names.

Although it is believed that there is a low risk to patients, TMMC has provided all impacted patients with free identity theft protection services.

Phishing Attack Impacts Tandem Diabetes Care Patients

Cybercriminals targeted Tandem Diabetes Care, Inc. located in San Diego, CA and accessed the email accounts of some of its employees from January 17, 2020 to January 20, 2020. Tandem Diabetes Care discovered the attack on January 17, 2020 and investigated the incident promptly with the assistance of a cybersecurity firm.

The compromised employee accounts included information such as the patients’ names, contact details, clinical data associated with diabetes care, and data concerning customers’ use of Tandem’s services and products. The Social Security numbers of some patients may likewise have been breached.

Tandem is fortifying user authorization and authentication, improving its email security controls, and has revised its guidelines and procedures to restrict the types of information that could be sent through email. On March 17, 2020, impacted patients were informed regarding the breach.

The breach affected 140,781 patients as indicated on the HHS’ Office for Civil Rights breach portal.

Phishing Attack at Foundation Medicine

Foundation Medicine based in Cambridge, MA, a provider of genomic profiling services, discovered the compromise of an employee’s email account due to the response of the employee to a phishing email.

Foundation Medicine knew about the incident on January 14, 2020. According to the investigation, which was led by a third-party forensics company, the attacker was able to access the email account from December 17, 2019 to January 14, 2020. In that time frame, an unauthorized person possibly accessed patient data contained in the email account such as patient names, birth dates, ages, test names, FMI ID numbers and ordering doctors’ names.

Foundation Medicine already informed all impacted patients and provided further security awareness training to its employees.