Health Care Data Breach Watch: September 2015

A new report from Gemalto has determined that US health care data breaches made up 21.1% of all global data breaches reported in the first half of the year. The continuing exposure of protected health information (PHI) demonstrates why.

This month’s breaches:

Merit Health Northwest Mississippi – up to 810 patients

Merit Health has notified patients that a former employee stole patient information from the hospital from February 2013 through June 2015, including “patient names, addresses, date of birth, social security numbers, health plan numbers and clinical information. In some cases, it may have also included information regarding any other person responsible for payment of care.” Law enforcement is investigating. A statement from Merit Health can be read here.

UCLA Health (again) – 1,242 patients

#1 Following July’s breach, in which 4.5 million patients’ records were potentially affected by a cyber attack, UCLA notified affected patients, as required by the Health Insurance Portability and Accountability Act (HIPAA). Ironically, some notification letters went to the wrong recipients, causing a breach of their personal data as the health system tried to inform them of a breach of their personal data. The LA Times has more here.

#2 UCLA Health has also notified 1,242 patients that their PHI (including names, medical record numbers and information relating to treatment) was put at risk following the theft of a faculty member’s laptop. The laptop was password-protected and the data did not include Social Security numbers or financial data.

Oakland Family Services – 16,000 patients

Oakland Family Services has announced that an employee’s email account was accessed remotely by an “unauthorized individual […] as part of a phishing attempt.” PHI, including “internal client ID numbers, dates of service and types of service provided”, was accessed and, in some cases, “the emails also included dates of birth, telephone numbers, addresses, diagnoses, health plan ID numbers, insurance numbers and social security numbers”.

Excellus BlueCross BlueShield – 10.5 million health insurance subscribers

Up to 10.5 million subscribers to Western New York health insurer Excellus BlueCross BlueShield and its affiliates Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, Lifetime Healthcare Companies, MedAmerica Companies, and Univera Healthcare are believed to have been affected by a cyber attack, in which “attackers may have gained unauthorized access to individuals’ information, which could include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information and claims information.” A dedicated website supplies more details.

Sutter Health – 2,582 patients

North California not-for-profit health system Sutter Health has discovered a 2013 HIPAA breach, according to the Sacramento Bee. Sutter Health spokesman Bill Gleeson told the paper that a former employee had emailed company billing accounts to their personal email account. 2,582 patients were notified that their PHI (including names, health insurance identification numbers, dates of birth, billing codes and the dates they received medical services) was affected. One Social Security number and two driver’s license numbers were also listed in the emailed documents.

LSU Health New Orleans School of Medicine – approximately 5,000 patients

A university-issued laptop that contained information including “names, dates of birth, dates of treatment, descriptions of patients’ conditions, treatments, and outcomes, lab test results, radiological and ultrasound images, medical record numbers, and diagnosis and treatment information” of some 5,000 “minor patients” was stolen from LSU faculty member Dr Christopher Roth’s car in July. “No Social Security numbers, credit card, bank account information or other financial data” were stored on the device. A statement from LSU Health can be read here.

Max M. Bayard, MD PC – approximately 2,000 patients

Physician Max M. Bayard, MD PC, of St Albans, VT, has notified some 2,000 patients that their personal information (including “names, Social Security numbers, and other limited treatment-related information”) was exposed following the theft of several electronic devices in a burglary. A statement can be read on Dr Bayard’s website.

Systema Software – 1.5 million medical records reports that a publicly available subdomain of Amazon Web Services (AWS) associated with Systema Software – a business associate of a number of insurance providers – contained ‘many GB of SQL database backups with “names, social security numbers, addresses, dates of birth, phone numbers, as well as various financial and medical injury data”’ as well as ‘login information: session IDs, login names, and password hashes’. Systema is currently investigating the incident. In a statement quoted by, it said that “based on our initial review, we have no indication that any data has been used inappropriately.”

Molina Healthcare – 54,203 members

Molina Healthcare has written to 54,203 Medicare members to tell them that a former employee of CVS, Molina Healthcare’s over-the-counter benefits vendor, “took PHI from CVS’ computers and sent it to his personal computer.” The information included “Full Name; CVS ID; CVS ExtraCare Health Card Number; Member ID; Rx Plan Number; Rx Plan State; Start Date; and End Date.” Molina’s breach notification letter can be found here.

Kindred healthcare – unknown number

A password-protected computer containing PHI that included “admission and discharge dates, facility name, Kindred-issued patient number, and certain accounting-related information such as copayment or days of Medicare use” was stolen from the offices of Kindred Transitional Care and Rehabilitation in Lawton, CA. All affected patients were notified by letter, a copy of which can be read here.

Insurance Data Services – approximately 2,900

Insurance Data Services (IDS), a Wyoming medical billing company, has notified patients of its client, Claystone Clinical Associates, that their PHI was exposed following a vehicle theft. A courier company was engaged to deliver client mailings, but its car was stolen by masked thieves, with the letters inside. According to, the documents “include information about a portion of Claystone Clinical Associates’ 2,900 patients. The documents include patients’ names, phone number, addresses, diagnoses code, treatment codes, insurer and account balances.”

Horizon Blue Cross Blue Shield of New Jersey – approximately 1,100 patients

Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) has revealed that criminals posing as doctors “obtained Horizon BCBSNJ member identification (ID) numbers, and potentially other personal information, through methods typically only available to legitimate doctors and health care professionals”. They then used this information to submit fraudulent claims.

Silverberg Surgical and Medical Group – number unknown

Silverberg Surgical and Medical Group has informed patients that their PHI was exposed over the Internet thanks to a badly configured document scanner. An investigation found that the device, which was used to scan patient records, had been exposing information since September 2013. “The records that were accessible included patient names, addresses, dates of birth and admission, telephone and fax numbers, e-mail addresses, medical information, medical record numbers, health plan data and beneficiary numbers, and, in some cases Social Security numbers, State License numbers and full face photographic images. No passwords, security codes or financial data like account or credit/debit card numbers were made accessible in connection with this incident.”

A copy of the breach notification letter can be read here.

The Health Insurance Portability and Accountability Act (HIPAA)

Health care organizations are bound by the Health Insurance Portability and Accountability Act (HIPAA), whose Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.

ISO 27001

According to a recent report from security firm iSheriff, 40% of Americans have now suffered a health care data breach. With data breach incidents becoming the norm for health care providers, the need for cost-effective and robust information security has never been stronger. HIPAA covered entities that are concerned about data security would do well to implement an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.

By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.

It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.

Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.

Click for more information >>

ISO 27001 Packaged Solutions