North Shore University Hospital, PracticeMax and Ascension Michigan Report Data Breaches

North Shore University Hospital (NSUH) based in Manhasset, NY has reported a case wherein an ex-worker got access to protected health information (PHI) without a valid reason. 7,614 patients had been informed that a former worker viewed their PHI without consent.

It is unsure when NSUH noticed the unauthorized access to PHI. As per NSUH, it was determined on April 11, 2019 the occurrence of unauthorized access between October 2009 and February 2019. In the beginning, the employee was stopped from going to work while investigating the breach. Afterward, his/her employment was terminated as a result of unauthorized access. The breach report was submitted to the respective authorities, which requested a delay in giving notification letters so as not to block the investigation. NSUH mentioned it didn’t get any report of improper use of patient data and no charges were sent in against the ex-employee with respect to the unauthorized access.

PracticeMax

PracticeMax, a business management and IT solution business, recently advised the Maine Attorney General that a data breach has affected 165,698 people. PracticeMax stated it started having technical problems on May 1, 2021 and began looking into the likely security breach.

The forensic investigation affirmed that unauthorized people got access to its systems starting April 17, 2021 probably until May 5, 2021. The attackers got access to a server and possibly copied files that consist of patients’ PHI as well as those of the health plan members of its clients, prior to ransomware.

PracticeMax stated it issued breach notification letters on behalf of affected clients on October 19, 2021, but the review of the server wasn’t completed yet. The review was concluded on February 2, 2022, and affected clients got updates on February 14, 2022. The types of data stored on the server varied from one person to person and may contained names and Social Security numbers. PracticeMax explained that on March 4, 2022, it started mailing more notification letters to individuals who were not informed before.

According to the most recent website announcement, PracticeMax is still determining the safety of its systems and bettering present guidelines and processes, including imposing additional technical and administrative security steps.

Ascension Michigan

Ascension Michigan started telling 27,177 people about an incident of prolonged unauthorized access to electronic medical records. Ascension Michigan stated it immediately stopped the user’s access to the network upon being aware of the unauthorized access. The investigation of the incident revealed that the hacker had gotten access to patient records in the EHR system from October 15, 2015 up to September 8, 2021.

An audit of the unauthorized access was completed on November 30, 2021, and confirmed the exposure of these types of data: complete names, addresses, email addresses, dates of birth, telephone numbers, health insurance ID numbers and providers, health insurance data, dates of service, diagnoses, treatment-related records, and, in a number of cases, Social Security numbers.

Following the breach, Ascension Michigan examined its internal settings and modified its processes to better protect patient information. It also provided credit and identity theft protection monitoring services to affected individuals.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.