Recently, Central Florida Inpatient Medicine (CFIM) based in Lake Mary, FL has found that an unauthorized person has accessed the email account of a staff member. The compromised emails and file attachments may contain the protected health information (PHI) of patients.
According to the substitute breach notice, CFIM discovered that the email account comprised sensitive patient information on May 5, 2022; but, the email account breach occurred from August 21, 2021 to September 17, 2021. The late issuance of notifications to impacted persons was because of the thorough forensic investigation and detailed and time-consuming physical review of documents.
The review confirmed that the email messages and file attachments contained data like names, birth dates, medical {information|data} {including|such as} diagnosis, clinical treatment {information|data}, doctor and/or healthcare facility name, dates of service, and medical insurance data. The Social Security numbers, financial account details, driver’s license numbers, usernames and passwords of some people were likewise compromised. CFIM stated that there was no proof found that indicates the misuse of any patient information.
CFIM told affected persons to check their explanation of benefits statements and accounts for any indication of fraudulent transactions. It also provided free credit monitoring services to those whose Social Security numbers were compromised.
CFIM stated that it put in place more technical safety measures, such as multifactor authentication, to avoid the same occurrences down the road. It also offered extra training so that employees can raise awareness of the threats of malicious email messages.
Yale New Haven Hospital Reports Patient Data Exposure Online
Yale New Haven Hospital based in Connecticut has reported the accidental posting of a file that was used for research on the internet on a public web page. A limited number of unauthorized persons potentially accessed the research. On April 18, 2022, the hospital identified the compromised file and quickly removed it to stop any more unauthorized access. Yale New Haven Hospital has mentioned that the file is not accessible online any longer.
A third-party forensics company helped with the investigation and found out that the file was uploaded online on December 16, 2021, and was accessible up to April 18, 2022. The upload was because of human error and was not malicious at all.
The file was associated with radiology services provided and contained PHI like names, email addresses, age ranges, phone numbers, preferred languages, health record numbers, types of procedure, and location and dates of services.
A Yale New Haven Hospital spokesperson stated the incident led to a review of security authorizations for Internet-facing systems, and the provision of additional training and guidance to staff members to point out the continued requirement to protect patient health data. Current technical safety measures were also improved to better secure patient information.
Yale New Haven Hospital didn’t reveal how many persons were impacted and the breach is not posted yet on the HHS’ Office for Civil Rights portal.