Data Breaches at Covenant Healthcare, Fisher-Titus Medical Center and University Hospital

Covenant Healthcare based in Saginaw, MI has found out that an unauthorized individual acquired access to two email accounts of employees. The account held the protected health information (PHI) of roughly 45,000 patients. The healthcare provider identified the security breach on December 21, 2020, and the investigation of the incident showed that the compromise of the first email account occurred on May 4, 2020.

An analysis of the compromised email accounts revealed they included the following types of protected health information: Names, dates of birth, addresses, driver’s license numbers, Social Security numbers, medical diagnosis and clinical details, medical treatment data, prescribed medication data, medical record numbers, patient account numbers, physicians’ names, and medical insurance details.

Affected people were informed to place a fraud alert on their accounts and to keep track of their account transactions for signs of unauthorized activity. It seems that the affected persons were not offered complimentary credit monitoring.

Covenant Healthcare’s website breach notice states that it is committed to protecting patients’ personal information and pledged to continuously assess and change practices and internal controls to improve security and privacy.

Fisher-Titus Medical Center Based in Norwalk, Ohio

An unauthorized person has obtained access to the email account of a worker of Fisher-Titus Medical Center in Norwalk, OH. The initial access of the email account was in August 2020 and it remained accessible possibly until October 2020 when the email breach was identified and the email account was made secure.

The delay in giving breach notifications to impacted people was because of the time taken to look into the breach. Third-party cybersecurity professionals finished their investigation on January 13, 2020. The medical center sent breach notification letters on February 18, 2021.

The medical center established the breach impacted patient names, medical details like diagnoses, clinical data, health insurance details, Social Security numbers, and credit/debit card numbers. Affected persons whose Social Security number was possibly breached were given complimentary membership to credit monitoring services for one year.

Supplemental safety measures have now been applied, which include modifications to the password policy, improved antivirus software, improvements to external firewalls, and email retention policies were modified and monitoring improved. A new anti-phishing platform was likewise executed.

University Hospital based in Newark, New Jersey

University Hospital located in Newark, NJ, has learned that an unauthorized individual acquired access to its computer network and possibly read and copied patient data. The hospital detected the incident on September 14, 2020, and learned that the system had been breached four days earlier.

A forensic investigation confirmed the attacker most likely obtained access to names, birth dates, addresses, Social Security numbers, driver’s license numbers, passport numbers, state ID numbers, insurance data, financial details, medical record numbers, and some clinical data.

Affected individuals received offers of free 12-months identify theft protection and credit monitoring services membership. University Hospital has since undertaken steps to enhance its safety procedures to avoid other breaches.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA