North Shore University Hospital (NSUH) in Manhasset, NY has announced an incident involving an ex-employee gaining access to protected health information (PHI) with no authorization. 7,614 patients received notifications that a former employee accessed some of their PHI without authorization.
It is uncertain when NSUH detected unauthorized access. According to NSUH, it was identified on April 11, 2019 that unauthorized access had happened from October 2009 to February 2019. At first, the employee was suspended from work as the breach investigation was ongoing. Later, he/she was terminated because of unauthorized access. The breach was reported to the authorities, which asked for a delay in sending notification letters in order not to obstruct the investigation. NSUH stated it did not receive any report of misuse of patient information and no charges were filed versus the ex-employee with regards to the unauthorized access.
PracticeMax
The business management and IT solution company PracticeMax has just informed the Maine Attorney General that a data breach has impacted 165,698 persons. PracticeMax mentioned it began having technical issues on May 1, 2021 and started investigating the potential security breach.
The forensic investigation established that unauthorized persons acquired access to its systems beginning April 17, 2021 possibly up to May 5, 2021. The attackers acquired access to a server and likely duplicated files that contain the PHI of patients as well as health plan members of its customers, before deploying ransomware.
PracticeMax mentioned it sent breach notification letters on behalf of impacted customers on October 19, 2021, although the assessment of the server was not yet finished. The assessment was completed on February 2, 2022, and impacted clients were informed on February 14, 2022. The types of information saved on the server differed from one person to another and possibly included names as well as Social Security numbers. PracticeMax stated that on March 4, 2022, it began sending additional notification letters to persons who were not notified earlier.
Based on the latest website notice, PracticeMax is still assessing the security of its systems and improving current guidelines and procedures, which include imposing more technical and administrative safety measures.
Ascension Michigan
Ascension Michigan began informing 27,177 people concerning an incident of extended unauthorized electronic medical record access. Ascension Michigan mentioned it promptly ended the user’s access to the system upon discovery of the unauthorized access. The inquiry into the incident affirmed that the hacker had acquired access to patient data in the EHR system between October 15, 2015, and September 8, 2021.
An analysis of the unauthorized access was done on November 30, 2021, and affirmed that these types of data were exposed: complete names, dates of birth, addresses, email addresses, telephone numbers, medical insurance data, medical insurance ID numbers and providers, dates of service, diagnoses, treatment-associated data, and, in certain instances, Social Security numbers.
After the breach, Ascension Michigan reviewed its internal controls and updated its processes to better secure patient data. Credit and identity theft protection monitoring services were given to impacted persons.