Houston Area Community Services, County of Kings, and NYU Langone Health Reported Data Breaches

Houston Area Community Services, County of Kings in California, and NYU Langone Health reported data breaches recently.

Avenue 360 Health and Wellness Reports Employee Email Accounts Breach

Houston Area Community Services, Inc., dba Avenue 360 Health and Wellness, found out an unauthorized individual has acquired access to the email accounts of a number of employees and may have viewed or gotten the protected health information (PHI) of 12,186 people.

Avenue 360 Health and Wellness stated its investigation confirmed the email accounts had been compromised between January 15, 2021 and April 2, 2021. A third-party vendor specializing in the evaluation of security incidents such as this was engaged to assist with the breach investigation.

The provider conducted a thorough evaluation of all emails and file attachments contained in the account. On November 9, 2021, Avenue 360 found out that the account included names, health insurance details, medical record numbers, birthdates, diagnoses, clinical and treatment information, and prescription data. The Social Security numbers and/or financial data of some persons were likewise exposed.

Avenue 360 did not receive any reports of actual or attempted misuse of patient data because of the email security breach. Affected individuals started receiving notification letters on January 5, 2022, and complimentary credit monitoring services were offered to people whose Social Security number was compromised. Since the breach, email security was enhanced with anti-spam solutions and multi-factor authentication.

Web Server Misconfiguration Led to the Exposure of COVID-19 Data of 16,590 People

County of Kings, which is a political subdivision of the State of California, has uncovered the misconfiguration of a public web server, which resulted in the breach of information regarding COVID-19 cases.

The California Department of Public Health and County healthcare providers gave the information to County’s Public Health Department. The data included names, addresses, dates of birth, and COVID-19 related details. The misconfiguration was discovered on November 24, 2021, and the issue was completely fixed on December 6, 2021. The investigation confirmed that the misconfiguration happened on February 15, 2021.

County of Kings authorities stated they could not rule out unauthorized accessing of the information in that span of 10 months, though there are no indications that any of the breached data has been or will be misused.

The sending of notification letters to the 16,590 persons whose sensitive details were exposed
began on January 21, 2022. The County is convinced that the limited nature of the compromised data indicates persons are not at risk and do not need to take any other actions. The County mentioned it is taking steps to make sure COVID-19 data is better secured later on.

NYU Langone Health Informs 1,123 Patient Regarding Mismailing Incident

NYU Langone Health has started sending notifications to 1,123 patients regarding a vendor mailing error. On or about November 12, 2021, NYU Langone informed patients concerning a scheduled relocation of an oncology surgeon, who was based in Lake Success, NY.

A third-party vendor was employed to distribute the notification letters and reformatted the addresses which caused a misalignment of patient names and addresses on the envelopes. Because of this, the letters were delivered to incorrect patients. The letters were addressed as “Dear Patient,” and there was no protected health information included.

NYU Langone has gotten assurances from its vendor that policies, procedures, and practices were evaluated and updated to avoid similar misdirected mailings down the road.