PHI Exposed at Alomere Health and Mercy Health Lorain Hospital Laboratory Data Breaches

Alomere Health in Alexandria, MN encountered a phishing attack that allowed unauthorized persons potential access to the protected health information (PHI) of more or less 50,000 patients.

After becoming aware of the phishing attack on November 6, 2019, the healthcare provider conducted an internal investigation that revealed the account was accessed by unauthorized persons from October 31 until November 1, 2019.

The computer forensics company that investigated the breach revealed on November 10, 2019 that a second email account compromise occurred on November 6.

After a detailed examination of the compromised accounts, it was confirmed by the investigators that selected emails and attachments contained PHI. The types of data potentially exposed in the breach varied from patient to patient, though might include these data elements: names, birth dates, addresses, medical insurance information, medical record numbers, diagnosis information and/or treatment data. The accounts likewise included the driver’s license numbers and Social Security numbers of some patients.

Alomere Health didn’t affirm if the hackers were able to access or copy any email messages or attachments with PHI, nevertheless, it can’t be certain that no unauthorized access or theft of data happened. On January 3, 2020, Alomere Health sent notifications to all 49,351 patients whose information was likely breached.

Free one-year credit monitoring and identity theft protection services were offered to people who had their driver’s license number or Social Security numbers compromised. Thus far, there’s no report gotten concerning patient data misuse.

Alomere Health upgraded its cyber defenses and gave its employees extra security awareness training to help them recognize email-based threats.

Mailing Error at Mercy Health Lorain Hospital Laboratory

RCM Enterprise Services, Inc. is a patient billing services provider to Mercy Health Lorain Hospital Laboratory in Ohio. RCM alerted a number of Mercy Health Lorain Hospital Laboratory patients because their individually identifiable personal data was potentially subjected to impermissible disclosure.

An error was found in the medical invoice mailing that was dispatched on or around November 7, 2019. The mailing vendor contracted by RCM used envelopes that made the Social Security numbers visible through the windows.

The invoice information that should have been visible through the windows included the patients’ names and addresses (street, city, state, and zip code). However, due to the error, the Social Security number instead of the city and zip code became visible.

Barbara Shaub, RCM’s Director of Revenue Cycle Management, pointed out the commitment of the company when it comes to data privacy and security and thus reviewed and modified procedures as needed to prevent the same incidents in the future.

No report has been received by RCM regarding any misuse of patient information. As a security measure, RCM offered all affected people complimentary credit monitoring and identity theft protection services. The number of people impacted by the breach is still uncertain.