[author: Jane Anderson]

Report on Patient Privacy 22, no. 5 (May, 2022)

◆ A law firm in Evansville, Indiana, is considering pursuing claims involving a physician who spoke with women at a bar and then allegedly looked up their medical records, the Evansville Courier & Press reported.^[1] At least six women have received an apology letter from Deaconess Health System stating that a physician accessed their medical records without purpose, Taylor Ivy, an attorney with Ladendorf Law, told the newspaper. The physician “would walk up to them, start talking to them, get their names, things like that,” Ivy was quoted as saying. “Then it seems he went to work, trying to get their medical records. One of the women [said] he showed up at her workplace in a suit, with a note that had been written for her.” One of the apology letters, dated Feb. 23, was shared on Facebook by Ladendorf Law with the recipient’s name blacked out. The letter states that the recipient’s records were accessed on eight dates from June 2020 to December 2021 “without business need,” and “we sincerely apologize for this event,” which the health system said was uncovered during a “routine audit” in January. The records accessed included both personal and medical history information. The letter, which was signed by Amanda McCarthy, a privacy officer for Deaconess Health System, included an offer for one year of complimentary use of an online identity theft product. It also stated that the Deaconess employee in question was fired following completion of the audit.

◆ A ransomware group called Hive claims to have stolen private data for 850,000 members of Partnership HealthPlan of California, a nonprofit that manages health care for Medi-Cal patients in 14 counties.^[2] Partnership notified a local community health center on March 21 that its computer systems were down. A week later, it posted on its website that it was experiencing “technical difficulties, resulting in a disruption to certain computer systems.” A computer threat analyst notified The Press Democrat that Hive posted on the dark web about stealing Partnership’s data. A screenshot of the claim, since removed from the dark web, shows that Hive claimed “the stolen data includes…850,000 unique records of name, SSN [Social Security number], date of birth, address, contact, etc.” Hive also claimed that 400 gigabytes of data were stolen from Partnership’s file server. Partnership said in a statement that it was aware of the claims and that an investigation was ongoing.

◆ Health care billing services company Adaptive Health Integrations of Williston, North Dakota, experienced a data breach in October that exposed data for 510,574 people.^[3] According to a statement from the company, “an unauthorized individual may have accessed a limited amount of data stored on our systems. Upon learning of the issue, we contained the threat by disabling unauthorized access to our network and commenced a prompt and thorough investigation with assistance from external cybersecurity professionals.” Data potentially accessed included names, dates of birth, contact information and Social Security numbers, Adaptive Health Integrations said.

◆ The health exchange that facilitates the purchase of individual health insurance plans for Connecticut residents failed to report dozens of security lapses to authorities, a state audit found.^[4] Personal information was accessed inappropriately during 44 breaches at Access Health CT between July 2017 and March 2021, according to state auditors. However, these lapses were not reported when they occurred, even though such reports are required by law, according to the audit. John Geragosian, a state auditor, said his office found Access Health CT’s information security policies inadequate after review. The state attorney general’s office found that Access Health CT has experienced the most breaches of any public or private organization in Connecticut in recent years.

◆ SummaCare, a health insurance provider in Akron, Ohio, is notifying around 1,100 members that their information may have been accessible during a security breach involving a misconfigured computer.^[5] The insurer said “it recently investigated and addressed a data security incident involving about 2% of its 61,000 members,” according to a report. SummaCare said it became aware of the issue, which allowed certain documents to be accessible online, on Feb. 8. The documents were accessible online between Nov. 19 and Feb. 7. “The documents contained some members’ names, health insurance ID numbers, patient account numbers, dates of service, provider names and limited treatment information,” the insurer said. SummaCare said it does not believe there was any misuse of information, but suggested that affected members review their statements and contact SummaCare if they find any treatments listed that they did not receive.

◆ Christie Clinic in Champaign, Illinois, reported a breach involving nearly 503,000 individuals that occurred when an unauthorized third party attempted to intercept a business transaction between Christie Clinic and a vendor.^[6] An investigation concluded there was unauthorized access to an affected email account from July 14, 2021, to Aug. 19, 2021. The investigation wasn’t able to determine whether email messages in the account were viewed or accessed by any unauthorized party, the clinic said, and so “Christie Clinic undertook a review to identify the full scope of information that could have been contained in the affected email account to determine whether protected information was potentially impacted.” The review determined that information contained in the email account included names, addresses, Social Security numbers, medical information and health insurance information. The clinic stressed that its electronic medical record was not affected, and that there was no evidence information was misused.

◆ Nearly 47,000 Texas residents’ information may have been exposed in a breach involving Touchstone Imaging, a medical scanning company based in Plano.^[7] In late December, patients who were scheduled for mammograms, MRIs and other scans at Touchstone Imaging locations were told their appointments were canceled, CBS DFW reported. Some patients were told the cancellations were due to a hacking incident, the news station reported. In its notice, Touchstone said it identified a security incident on Dec. 24, 2021, that impacted systems containing patient information. “Within days, we were able to quickly contain the incident and resume serving patients,” the notice said.^[8] “The investigation subsequently determined that between December 17 and December 24, 2021, an unauthorized party gained access to our network and took copies of some of the documents on our system.” Touchstone Imaging said that the information included names, addresses, medical information and health insurance information. Social Security numbers were included for a limited number of patients, and Touchstone said it would provide those patients with complimentary credit monitoring.

◆ Cleveland-based MetroHealth System (MHS) said information for approximately 1,700 patients has been impacted by a data breach that occurred when the wrong records were included in medical record releases.^[9] According to the health system, “On February 10, 2022, MHS’ medical record partner let us know that certain medical record releases contained other patients’ information. We immediately began investigating. We learned that, on November 13, 2021, during an upgrade to our electronic medical record system, a limited group of patients’ records were unintentionally affected. As a result, when we released the records of some patients as planned, the name, date of service and provider name [for] different patients also appeared in those records. This was the only information that was released. No personal, financial, or other health-related information was shared.” MHS provided a phone number to call for additional information.

1 John T. Martin, “Law firm says Deaconess doc viewed women’s personal, medical data without cause,” Evansville Courier & Press, April 16, 2022, https://bit.ly/3vhnyWX.
2 Martin Espinoza, “Hacking group claims responsibility for ransomware attack on Northern California health care network,” The Press Democrat, March 30, 2022, https://bit.ly/3kg9qqB.
3 Jim Monk, “North Dakota company hit by cyber attack, more than 500,000 affected,” KVRR Local News, April 25, 2022, https://bit.ly/3KieiWZ.
4 Mary Katherine Wildeman, “State-run health insurance exchange failed to prevent breaches of CT residents’ data, audit finds,” CT Insider, updated April 4, 2022, https://bit.ly/3vhfTbj.
5 Betty Lin-Fisher, “Was your data compromised? About 1,100 members SummaCare affected,” Akron Beacon Journal, April 8, 2022, https://bit.ly/3rRKR7U.
6 “Notice of Data Privacy Event,” Christie Clinic, March 24, 2022, https://bit.ly/3vDicUQ.
7 Ginger Allen, “I-Team Update: Touchstone imaging reports data breach to state,” CBS News DFW, April 14, 2022, https://cbsn.ws/3kh6ha2.
8 Touchstone Imaging, “Notice of IT Security Incident Affecting Certain Patients,” February 2022, https://bit.ly/3OE3rtB.
9 WKYC Staff, “Roughly 1,700 MetroHealth patients affected by data breach,” WKYC 3 Studios, April 13, 2022, https://bit.ly/3xSWi2G.

[View source.]