Turlock Irrigation District in California is notifying its employees who are members of their employer-sponsored health plan regarding the exposure of some of their protected health information (PHI) online due to a business associate error.
Delta Health Systems (DHS) is a provider of administrative services correlated to the health plan and needs to have access to confident PHI. Some of the PHI became accessible online via a link to a webpage of DHS.
A third-party website developer made the error. During the configuration of the website to limit access, a conflicting setting took precendence and allowed public access to the document.
Unauthorized persons could have accessed the affected plan members’ billing statement for their employee-sponsored health plan when it was accessible online. The billing statement contained information such as the plan member’s first and last name, DHS ID number, name and address of employer, and Social Security number.
Because of the breach, affected members were provided a year of complimentary membership to Experian’s credit monitoring and identity theft protection services.
The problem was discovered and fixed on April 18, 2019. It was not determined when the error actually happened, how long the plan members’ personal data were exposed and whether any unauthorized persons accessed the unprotected billing statements.
Aside from fixing the issue, DHS requested the search engines to remove all cached content. DHS is likewise modifying its security guidelines and procedures and has created a new, safer website without the software which was misconfigured.
The California Attorney General and the HHS’ Office for Civil Rights had been notified about the incident but OCR has not yet posted the incident on its website, thus the number of affected plan members is presently uncertain.
Cyberattack on Ellwood City Medical Center Investigated
A cyberattack on Ellwood City Medical Center located in Ellwood City, PA that resulted to a partly compromised system is presently being investigated. The attack seems to have began on or about Saturday May 27, though at this time, no additional information was issued. Investigations are continuing to find out if any patient records were compromised.
The cyberattack just happened when the medical center is involved in problems related to billing and payroll and late salary payments to staff is being investigated.