– On May 31, California-based Dignity Health reported to OCR that a data breach exposed personal information on 55,947 patients.
In a Dignity Health statement emailed to HealthITSecurity.com, the healthcare provider explained that an email list formatted by its business associate Healthgrades contained a sorting error that resulted in misaddressed emails being sent to a group of patients about an online appointment scheduling tool.
The misdirected email contained the wrong patient’s name and his or her physician’s name. Each misdirected email was sent to only one person, the statement said.
In addition, Dignity Health informed OCR on May 10 that personal information on 6,036 patients at three of its St. Rose Dominican Hospitals in Nevada may have been disclosed.
According to DataBreach.net, the hospitals provided court-related health documents containing PHI to a local vendor even though the hospitals’ contract with the vendor had expired.
The report also noted that Dignity Health St. Joseph’s Hospital and Medical Center in Arizona announced that a hospital employee viewed portions of 229 patient medical records between Oct. 13, 2017, and March 29, 2018, without a business reason to do so.
Moran Eye Center Says Theft May Have Exposed Retinal Images
The John A. Moran Eye Center at the University of Utah announced June 2 that personal and medical information on 607 patients, including 602 infants, may have been disclosed as a result of electronic equipment theft.
The center discovered April 3 that a laptop computer and external storage device with retinal images were stolen from a locked storage facility in Salt Lake City.
Patient information that could have been exposed included full or partial name, date of birth, retinal images, and medical reference number used by the University of Utah Health system. The center said that no Social Security numbers or financial information was stored on the laptop or storage device.
The affected patients were examined by Moran eye specialist at the University of Utah Hospital and Primary Children’s Hospital between July 1, 2014, and March 30, 2018.
Care Partners Reports Email Hack Exposing 600 Patient Records
Oregon-based Care Partners Hospice and Palliative (Care Partners) reported May 25 to OCR that PHI on 600 patients may have been exposed in an email hacking incident.
In a notice on its website, Care Partners said that it discovered April 11 that an employee’s email account was compromised and that an unauthorized third-party may have gained access to personal information on patients as well as PHI.
Care Partners said it immediately reset the passwords for all employee email accounts and set up and additional layer of authentication for email access. It stressed that it found no evidence that the information was misused.
The provider said it was offering free identity protection services to those affected by the breach.
Holland Eye Center Reports Exposure of PHI on 42.2K Patients
Michigan-based Holland Eye Surgery and Laser Center reported to OCR on May 18 that a hack of a desktop computer exposed PHI on 42,200 patients.
In a media notice published the same day in the Holland Sentinel and reprinted by DataBreaches.net, the practice said that personal and medical information on its patients was accessed by an unauthorized individual.
The information disclosed included patient addresses, dates of birth, demographic information, and Social Security numbers. The practice said it was offering patients whose Social Security number was accessed free credit monitoring and identity theft protection.
A hacker who goes by the name of Todd Davis informed DataBreaches.net that he was the unauthorized individual who accessed Holland’s patient information in June 2016. He said he informed the practice at the time that he had the information and asked for a $10,000 fee to help them secure their data.
The hacker said he contacted the practice numerous times over the intervening two-year period, but no one responded to his inquiries. However, Holland said that it was not aware of the breach until March 19, 2018, when an unauthorized individual sent an email informing the practice of the breach.