Data Breaches at UMMA Community Clinic, Mayo Clinic and Seven Counties Service

Insider Breach at UMMA Community Clinic

University Muslim Medical Association (UMMA) Community Clinic in Los Angeles found out that a former employee sent a secured file that contains patients’ PHI to an individual’s email account. UMMA learned about the incident on July 1, 2020, two days after the data file was sent.

UMMA has gotten written verification from the past staff that the file was safely erased and UMMA not aware of any further information disclosures or misuse.

UMMA has enforced further policies and procedures to avert identical privacy breaches down the road. It is at present apparent how many persons have been affected or the types of protected health information enclosed in the secured data file.

Healthcare Records Access of 1,600 Patients By Former Mayo Clinic Staff Without Authorization

Mayo Clinic commenced informing more than 1,600 patients that a former employee accessed their protected health information (PHI) without legit work reason.

Mayo Clinic reported on August 5, 2020 that a licensed medical care professional accessed the patient records although there was no legit reason for doing so. The health worker was concluding his/her job with Mayo Clinic when the clinic found out about the privacy breach. The particular individual is not employed at Mayo Clinic anymore.

It is unknown what is the reason for accessing the medical files and Mayo Clinic did not make known at what time the privacy breach took place. Mayo Clinic stated that the data was accessed for a limited time frame and there is no evidence identified that indicates the employee copied or kept any data.

The potentially compromised information included names, dates of birth, demographic details, health record numbers, clinical photos, and clinical notes. There was no financial data or Social Security numbers viewed by the staff. Mayo Clinic has submitted a report of the unauthorized records access to the FBI and the Rochester Police Department. Investigation of the privacy breach is now in-progress.

Mayo Clinic mentioned that the late issuance of notifications was caused by the extended investigation into the privacy breach. Impacted people already got notifications, nevertheless, the nature of data viewed suggests there is no action required in connection with the breach.

Seven Counties Services Experiences 13,375-Record Data Breach

Seven Counties Services in Kentucky is notifying 13,375 patients regarding a breach of their PHI. A phishing attack on Seven Counties Services resulted in the access of 13 employee email accounts by an unauthorized person. Seven Counties’ IT department detected the breach on July 28, 2020 and immediately secured the compromised email accounts. The attack started on July 27, 2020 and continued until July 30, 2020.

An analysis of the compromised email accounts showed they held reports that contained PHI like names, birth dates, Social Security numbers, telephone numbers, addresses, email addresses, dates of service, and diagnoses. It cannot be determined if the attackers opened, viewed or downloaded any emails in the account.

The Seven Counties Services IT section has enhanced access controls, put in place location-dependent multi-factor authentication, and the employees have received additional training on phishing and email spoofing attacks.