Last week, the Department of Veterans Affairs announced that a security lapse in the network of an undisclosed telehealth services contractor potentially exposed the health data of more than 7,000 veterans, Health IT Security reports (Snell, Health IT Security, 12/29).
According to a VA spokesperson, the department on Nov. 4 was alerted to the potential flaw in a patient database maintained by the contractor containing the personal health information of 7,054 veterans (Miller, Federal News Radio, 12/24).
Data that were potentially exposed in the breach included veterans’:
- Addresses;
- Dates of birth;
- Names;
- Phone numbers; and
- VA patient identification numbers (Health IT Security, 12/29).
According to the VA spokesperson, the contractor said that only its and VA’s staff had accessed the potentially exposed information.
The spokesperson said VA launched an investigation into the breach when it was notified of the security flaw, adding that the flaw “was immediately corrected” and is continuing to be monitored. Affected veterans were notified of the breach and have been offered no-cost credit protection services (Boyd, Federal Times, 12/24).
Mercy Medical Center Redding Breach Details
In related news, a California hospital has notified hundreds of patients of a HIPAA breach that made their health information accessible via Google and other search engines, Healthcare IT News reports.
The breach, which was discovered Dec. 13, affected 620 patients who received cancer treatment at Dignity Health’s Mercy Medical Center Redding Oncology Clinic after a third-party vendor posted a link on its website to patients’ physician progress notes. Exposed data included:
- Dates of birth;
- Diagnoses;
- Medications;
- Names; and
- Treatment and therapy plans (McCann, Healthcare IT News, 12/23).
Patients were notified of the breach on Dec. 18, and the third-party vendor has removed the link to the data from its site.
According to a Mercy Medical Center Redding statement, the hospital does not think that the data have been used for any “unlawful purpose” (Jayanthi, Becker’s Health IT & CIO Review, 12/26).p>
Northwestern Memorial HealthCare Breach Details
Meanwhile, Northwestern Memorial HealthCare is alerting 2,800 patients of a data breach after an unencrypted laptop containing their personal health information was stolen from an employee’s car, AP/Washington Times reports (AP/Washington Times, 12/20).
According to a hospital statement, the theft occurred on Oct. 21 and the hospital and law enforcement were immediately notified.
The laptop, which was password protected, contained patients’:
- Addresses;
- Billing codes;
- Dates of Birth;
- Dates of service;
- Diagnoses;
- Health insurance information;
- Names;
- Physician names; and
- Treatment information.
The data also included Social Security numbers for some patients.
The hospital said it has “no knowledge” that the data have been used (Jayanthi, Becker’s Health IT & CIO Review, 12/22). The hospital is taking steps to ensure all of its laptops are encrypted and is “reinforcing education” with staff “on the importance of handling patients’ information securely” (AP/Washington Times, 12/20).
