Three HIPAA-Regulated Entities Disclose Breaches Potentially Impacting Personal Information
Missouri's Iron County Medical Center, California's Regional Center of the East Bay and Texas' Winkler County Hospital District recently notified affected individuals of data breaches that may have impacted customers' personal information.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
On December 6, 2024, two Iron County employees said they received a suspicious email from a third employee and the medical center immediately reset active email sessions and launched its incident response plan, the center said on its website. Despite this, Iron County's "investigation concluded that the unknown threat actor was able to gain unauthorized access to a single email account" and could have exposed personal information.
Iron County said letters to the impacted individuals were sent on June 30, and it is offering complimentary identity protection services to those impacted.
The breach affected approximately 10,239 individuals, Federman & Sherwood, a law firm, said June 26. It's investigating the breach.
East Bay reported its breach to the U.S. Department of Health and Human Services on July 9, describing an incident involving the unauthorized access or disclosure of protected health information of approximately 689 individuals stored on a laptop. California DOJ also reported the incident on its website.
On June 24, "an email containing personal information regarding our client, including first and last name, date of birth, and UCI number, was inadvertently sent to an individual outside of our agency," the notification letter said. Though the information impacted did not include information that could expose people to identity theft, "nonetheless, we felt it necessary to inform you that personal information was involved. We have also requested the recipient to delete the email from their inbox and deleted box, and they have confirmed that they have done so."
On Monday, law firm Federman & Sherwood announced it was investigating that breach as well.
On June 17, Winkler County informed 637 customers of a data event that occurred April 11 and was discovered April 22, when the hospital became aware that a former employee had transferred records to his personal email account. An investigation "revealed that certain information may have been viewed and copied by an unauthorized individual as part of the event."
After an analysis, which ended June 11, Winkler County determined the information potentially included diagnoses, insurance information and authorization, medical record numbers, Social Security information and visitor identification data, among other things.