On May 10, 2017, the North Dakota Department of Human Services (NDDHS) discovered a report of discarded NDDHS Medicaid claim resolution worksheet documents containing PHI. The papers were reportedly found in a dumpster in Bismark, North Dakota.
NDDHS recovered the documents the same day and immediately launched an internal investigation.
Through the investigation, NDDHS found an employee had improperly discarded the documents on May 8, 2017.
The documents included Medicaid recipient names, dates of birth, provider numbers, Medicaid ID number, dates of service, diagnoses codes, and other sensitive information.
According to the OCR data breach reporting tool, the PHI of 2,452 patients were potentially exposed in the breach.
NDDHS has since taken appropriate disciplinary action against the employee responsible for the incident.
The organization stated no Social Security numbers, financial information, or addresses were included in the documents. Additionally, there exists no evidence any PHI has been improperly used or disclosed as a result of the breach.
To mitigate further damage, NDDHS is offering potentially impacted individuals one year of free credit monitoring and identity theft protection.
“Please be assured that NDDHS takes the matter of privacy and security very seriously and trains workforce members on the safe handling and disposal of confidential information,” stated the notification letter, which was signed by Information Technology Services Division Director Jenny Witham. “Please know that we will be working with our workforce members and reviewing policy and procedures to prevent any future occurrences.”
Texas health clinic employee email error exposes patient information
Stephenville Medical & Surgical Clinic, P.A. (SMSC) recently announced it suffered a data breach on May 19, 2016 when an individual requested that the clinic email a blank medical record release form. Instead, the individual received an email spreadsheet containing a list of former patients.
The employee responsible for sending the email was part of the Medical Records Department.
The document contained information including patient names, dates of birth, medical record numbers, and date of visit.
Most patients listed in the spreadsheet had not been seen at SMSC in over 9 years.
The recipient opened the spreadsheet the evening it was sent, saw it was not the proper form, and immediately deleted the document. The recipient contacted the clinic and reported the error the following morning.
SMSC stated the list did not include any sensitive patient medical or financial information. Additionally, the email did not include any Social Security numbers or addresses.
Given the nature of the incident, clinic officials have stated it is unlikely the recipient could use the information for any kind of identity theft or fraudulent activity.
SMSC enlisted the help of an independent firm to investigate the incident. The team ultimately concluded the incident poses little threat to patients involved in the breach.
Investigators requested the recipient sign an affidavit regarding the incident ensuring the information was completely erased from the computer.
SMSC issued notices to potentially impacted patients explaining the events of the breach and is offering concerned patients identity protection services.
The clinic has not disclosed how many patients were potentially impacted by the breach.
Victory Medical Center data breach affects 2K
Victory Medical Center recently announced it suffered a potential data breach affecting the information of about 2,000 patients, according to the American Statesman. The incident was first discovered on April 5, 2017.
Victory Medical Center became aware of the incident when a patient found their information online and alerted the health center of the breach.
Potentially exposed patient information included patient names, dates of birth, addresses, phone numbers, email addresses, medical account numbers, preferred language, race, and ethnicity.
The report was removed five days after discovery.
“The data elements disclosed were demographic in nature and generally available via routine web and directory searches,” health center officials said in a public statement. “They did not include sensitive information that could be easily used to create unauthorized accounts or otherwise impair you or your privacy.”
Victory Medical Center emphasized that the risk of improper use of demographic patient information is low.
Presently, Victory Medical Center is uncertain as to when the breach occurred. However, officials estimate the breach occurred around June 10, 2013.
Charlotte woman charged with stealing patient information
Last week, a woman in Charlotte, North Carolina admitted to stealing the personal information of over 150 patients at a Charlotte medical practice, according to a Charlotte Observer report.
Former practice employee Keniona Thomas pleaded guilty to one count of identity theft for stealing information from patient files.
Prosecutors and court records have omitted the name of the practice affected in the incident.
Thomas reportedly sold the stolen information to another individual, Christopher Roach, who then used the information to make fraudulent purchases and procure false driver’s licenses.
Roach paid Thomas $10 for each patient’s information.
Since obtaining the patient information, Roach and his affiliates defrauded victims and banks out of up to $97,000 according to prosecutors.
Thomas faces a maximum of 15 years in prison and a fine of $250,000 for the crime.