[author: Jane Anderson]

Report on Patient Privacy 22, no. 4 (April, 2022)

◆ Dallas-based JDC Healthcare Management, which runs more than 70 dental and orthodontics practices in Texas, is notifying more than 1 million individuals about a breach that it says “may affect the security of some personal information.”^[1] Around Aug. 9, JDC said it “became aware of a malware incident impacting certain company systems. JDC immediately worked to restore its systems and launched an investigation, with assistance from third-party computer forensic specialists, to determine the nature and scope of the incident.” According to the company’s breach notification, the investigation determined that “certain JDC data was subject to unauthorized access and/or acquisition during the incident between July 27, 2021 and August 11, 2021.” Information that could have been accessed or acquired included clinical information, demographic information such as Social Security numbers, driver’s license numbers and dates of birth, health insurance information, and financial information, the company said. It did not mention offering free credit monitoring and identity protection services.

◆ An urgent care center in Lincoln, Nebraska, alleged in a lawsuit that a data breach at the company that handled its billing led to the discovery of a number of claims that went unpaid over several years.^[2] In the lawsuit filed in February, Urgent Care Clinic of Lincoln PC argued that after a ransomware attack on PracticeMax in 2021, the urgent care clinic discovered “a significant number of claims that were either not handled properly, not processed at all or otherwise neglected.” PracticeMax, based in Arizona, provides billing, information technology, practice management and other services to health care offices. The company has a regional office in Lincoln. PracticeMax posted a notice on its website that states it discovered ransomware had been installed on some of its systems in 2021, and that there may have been unauthorized access to its systems between April 17 and May 5. The lawsuit does not link the unpaid claims directly to the ransomware attack. In fact, the lawsuit states that some of the claims date as far back as 2019 and further. However, the breach investigation led to the unpaid claims being discovered, the lawsuit said. The suit alleges negligence, breach of contract and unjust enrichment by PracticeMax, and the urgent care center said that its losses are “well in excess” of the $75,000 minimum for the case to qualify to be filed in federal court. Michael Johnson, CEO of PracticeMax, said his company has “successfully processed tens of thousands of claims” for Urgent Care Clinic of Lincoln over a number of years, and added, “in the case, they are claiming issue with a couple of hundred claims, which will have to be evaluated through due process.”

◆ A company hired by Oklahoma to review data about 5,000 disabled state residents waiting for state services stored their information on an unsecured server in an Excel spreadsheet, leading to a breach of that information, according to Oklahoma’s Department of Human Services.^[3] International hackers compromised the server inside DHS contractor Liberty of Oklahoma, the state agency said, and the breach involved the personal information of children and adults with intellectual disabilities. Liberty has offered one year of free credit monitoring to those affected. However, many are having trouble accessing the credit monitoring: parents of minor children say the code they were given works only for adults, and caregivers of disabled adults say they cannot be granted access to credit monitoring without a power of attorney. Liberty was working to provide special codes for minors and also to address the issue of powers of attorney. The families affected by the breach were participating in a statewide research project conducted by Liberty that aims to shrink the waiting list of state residents seeking state services, and the department urged families to continue to cooperate with Liberty.

◆ Personal and medical information from approximately 108,906 residents of the Chelan-Douglas Health District in Washington State may have been taken during a data breach that occurred in early July 2021.^[4] The health district said it “recently” discovered unauthorized access to its network occurred between July 2 and July 4. Following an investigation, the health district determined that “certain identifiable personal information was removed from its network in connection with this incident, including the affected residents’ full names and one or more of the following: Social Security numbers, dates of birth/death, driver’s license numbers, financial account information, medical information, and/or health insurance policy information.” The health district said it was not aware of any reports of identity fraud or improper use of the information. However, the notification letter said that Chelan-Douglas Health District is offering the residents whose Social Security numbers were impacted complimentary one-year memberships with a credit monitoring service, and the residents whose medical information was impacted are being provided steps to take to safeguard against medical identity theft.

◆ Montrose Regional Health in Colorado is notifying patients about a data breach.^[5] The breach, which occurred between Aug. 21 and Oct. 26, 2021, involved an unauthorized person accessing employee email accounts that contained personal information, such as patient names, internal patient account numbers, service dates, procedure codes, provider names, health insurance provider information and treatment costs. The internal investigation was not able to determine exactly what information was accessed in the breach. The hospital said it has reset the passwords for all its email accounts, and is conducting a review of security policies and procedures. Montrose also said that there is no evidence of misuse of information and “no reason to believe Montrose was specifically targeted.”

◆ Capital Region Medical Center (CRMC) in Jefferson City, Missouri, said patient information was accessed by unauthorized individuals in a December 2021 cyberattack that took the medical center’s phones and network systems offline for several days.^[6] The medical center said it experienced a disruption to its network systems on Dec. 17, and “promptly disabled our network as a security measure.” The investigation into the incident concluded that an unauthorized third party gained access to files containing personal and health information, the medical center said. “Based on the investigation to date, while there is no indication that the electronic medical health record database was accessed, CRMC has determined that personal and health information relating to some patients was contained in files accessible to the unauthorized third party,” the statement said. “Such information included first and last name, date of birth, full mailing address, medical information, and health insurance information. For some individuals, Social Security numbers, driver’s license numbers, and financial account information may have been accessed.” Although the medical center said there is no evidence of any instances of fraud or identity theft resulting from the incident, the medical center will offer one year of credit monitoring to individuals whose Social Security numbers or driver’s license numbers were involved.

◆ Labette Health, a trauma center in Parsons, Kansas, experienced a data breach last fall that affected the personal information of some 85,635 individuals, including both patients and staff members.^[7] Following an investigation, Labette Health said that unauthorized individuals potentially accessed and acquired information from portions of its network between Oct. 15 and Oct. 24, 2021. The files and folders that may have been accessed or acquired contained identifiable personal and/or protected health information of employees and certain patients who received services from Labette Health, including the individuals’ full names and one or more of the following: Social Security numbers, medical treatment and diagnosis information, Medicare or Medicaid number, and/or health insurance information. Labette Health said it has no evidence to suggest that any information has been misused, but said it would provide free credit monitoring for individuals whose Social Security numbers were affected by the breach

1 JDC Healthcare Management LLC, “JDC Healthcare Management Provides Notice of Data Incident,” news release, PR Newswire, February 25, 2022, https://prn.to/3tXC9GE.
2 Matt Olberding, “Lincoln urgent care center sues billing provider, alleging mishandled claims,” Lincoln Journal Star, March 13, 2022, https://bit.ly/3tTtLYC.
3 Ali Meyer, “Disabled Oklahomans vulnerable from DHS data breach,” Oklahoma’s News 4, March 12, 2022, https://bit.ly/3wTlrtC.
4 Dominic A. Paluzzi, “Chelan Douglas Health District – Incident Notification,” McDonald Hopkins, March 15, 2022, https://bit.ly/3qSsvD6.
5 Cristian Sida, “Montrose Regional Health experiences data breach,” KKCO, March 11, 2022, https://bit.ly/3LmV1Vg.
6 “Security Update,” Capital Region Medical Center, March 28, 2022, https://bit.ly/3DvghoR.
7 “Labette Health Security Breach,” Labette Health, March 11, 2022, https://bit.ly/3NydMXP.

[View source.]