Two health care entities recently reported health data breaches, while another organization is facing a lawsuit over a recent data breach and another group is being investigated for potential patient privacy violations.
Memorial Hermann Health System Data Breach
On Friday, Memorial Hermann Health System announced an internal data breach that affected the personal health data of 10,604 patients over a six-and-a-half year period from December 2007 to July 2014, Health IT Security reports.
The breach occurred when an internal employee gained unauthorized access to the organization’s electronic health record system.
According to a notice published on the group’s website, the employee accessed patients’:
- Health insurance data;
- Medical record numbers;
- Names; and
- Social Security numbers, in some instances (Ouellette, Health IT Security, 9/2).
Cedars-Sinai Health Systems Data Breach
Cedars-Sinai Health System last week informed more than 500 patients that their protected health information was stolen during a home burglary on June 23, Health Data Management reports.
The PHI existed on a password-protected laptop that was taken from an employee’s home during the burglary. Investigations are continuing, and the full breadth of the breach is still unknown (Goedert, Health Data Management, 8/26).
In a notice sent to those affected by the breach, Cedars-Sinai officials wrote that “there is no indication of any actual or attempted unauthorized access to health information.”
Officials said the stolen laptop could have contained some patients’:
- Lab testing numbers;
- Medical record numbers;
- Patient identification numbers;
- Social Security numbers;
- Treatment information; and
- Other personal data (Pedulli, Clinical Innovation & Technology, 8/26).
Lawsuit Filed Against Community Health Systems
Five Alabama residents have filed a class action lawsuit against Community Health Systems alleging that the provider did not inform those potentially affected by a data breach in a timely manner, the Nashville Business Journal‘s “NashvilleBizBlog” reports (Kennedy, “NashvilleBizBlog,”Nashville Business Journal, 8/26).
Last month, Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients (iHealthBeat, 8/18).
However, the lawsuit stated that CHS discovered the attack in April and June.
According to a National Law Journal report, the suit — which was filed in the Northern District of Alabama — argues that CHS’ delay in releasing information about the breach “deprived millions of former patients of critical time to protect themselves from identity theft” (“NashvilleBizBlog,”Nashville Business Journal, 8/26).
The suit also alleges that CHS did not have the proper security standards to protect patients’ sensitive health information (Phillips, Birmingham Business Journal, 8/27).
Patient Privacy Investigation into Optum Idaho
Federal investigators are examining whether Optum Idaho, which manages part of the state’s Medicaid program, has violated patient privacy laws, the Idaho Statesman reports.
Since October 2013, local health care providers have alleged that Optum sent them erroneous reports about patients that were meant for other providers. The reports included patients’:
- Mental health or substance use treatment services; and
According to Optum, the violations affect about one-hundredth of 1% of the 1.3 million claims it has handled in the state and no patient health information has been disclosed outside of provider networks (Dutton/Saunders, Idaho Statesman, 8/28).