Multiple Email Accounts Breach at Covenant Care California, Grandview Medical Center and Bergen’s Promise

Covenant Care California based in Aliso Viejo, an owner of skilled nursing facilities and a home health services provider in Nevada and California, has reported that an unauthorized third party has acquired access to its email system, and likely viewed or acquired electronic protected health information (ePHI). Suspicious activity was discovered in the email account of a staff member in February 2022, and the following investigation confirmed the access of several employee email accounts from February 24 to March 22, 2022. The accounts had information associated with its home health services, offered using these brand names:

  • Elevate Health Group
  • Focus Health
  • Choice Home Health
  • RehabFocus Home Health
  • San Diego Home Health

The accounts review concluded on March 27, 2022, and revealed that the email accounts contained protected health information (PHI), including names, medical data, and medical insurance details. The birth date, driver’s license number, Social Security number, and/or other personal data of some affected persons were also compromised. Covenant Care stated that safety measures are being assessed and changes will be made to enhance security, for example, giving additional training to staff members on email security. Affected persons received free identity monitoring services.

Presently, it is uncertain how many persons were impacted.

Email Account Breach at Bergen’s Promise

Bergen’s Promise, the assigned Care Management Organization for Bergen County based in New Jersey, has just reported that a portion of its email system was compromised. On November 15, it discovered suspicious activity in the email account of an employee. The subsequent forensic investigation confirmed the compromise of six email accounts from November 15 to November 18, 2021.

Bergen’s Promise reported that security protocols were improved in response to the email account breach. Affected persons received credit monitoring and identity theft protection services. The reason is not known as to why the issuance of the breach notification letters took 7 months from the time the breach was discovered.

The breach reported submitted to the HHS’ Office for Civil Rights indicated that 6,948 persons were affected.

Theft of ER Activity Logs from Grandview Medical Center

Grandview Medical Center located in Birmingham, AL has began sending notification to 1,126 persons about the theft of activity logs from its ER department. The stolen records contained PHI but law enforcement recovered them.

Law enforcement contacted Grandview Medical Center on April 12, 2022 to inform it about the logs, which were discovered in a residential apartment on April 4, 2022. The logs recorded patient visits from February 1 to February 12, 2022, and contained data like name, birth date, account number, medical record number, and treatment details such as reason for consultation, diagnosis, acuity, arrival mode and discharge disposition, and date/time of service.

Grandview Medical Center mentioned that law enforcement is currently investigating the incident. At this period, it is unknown what the individual who stole the records did with the information, however it is likely that the records were exposed to other persons. As a safety measure, the affected persons received credit monitoring services.

The medical center stated it offers regular privacy and confidentiality instruction to workers and stresses why safeguarding patient data is important.