PHI Exposed at the Santa Rosa & Rohnert Park Oral Surgery, Ashtabula County Medical Center and Orchard Medical Consulting

Santa Rosa & Rohnert Park Oral Surgery on Portland, OR found out that an unauthorized individual got access to an employee’s email account. The provider knew about the PHI breach on March 11, 2020 after discovering in the email account some suspicious activities. The forensic investigators affirmed there was an email account breach on December 20, 2019, which continued until March 11, 2020 when account security was restored. The breached email account included a number of protected health information (PHI) which the threat actor might have seen or obtained.

Santa Rosa & Rohnert Park Oral Surgery provided the impacted persons with free MyIDCare credit monitoring and identity theft protection services through ID Experts, reviewed the company’s policies and procedures for improvement, and strengthened information security.

PHI of 3,683 Patients of Ashtabula County Medical Center Exposed Over the Internet

Ashtabula County Medical Center (ACMC), which is an affiliate of Cleveland Clinic, is sending notifications to 3,683 patients regarding the exposure of some of their PHI on the internet. To follow the requirement of the government to disclose medical costs, ACMC uploaded an Excel spreadsheet on an internet site on or around January 6, 2020. On March 12, 2020, ACMC discovered that some patient PHI were unintentionally included in the Excel spreadsheet.

The information exposed over the web only included patients’ names, health and treatment histories, and diagnoses. Social Security numbers and financial details were not included in the exposed data. As a safety measure, ACMC offered affected patients a 12-month free IDExperts membership for identity theft recovery services.

ACMC has already reviewed and updated its policies and procedures along with the implementation of more safety measures to avoid identical breaches later on.

Phishing Attack at Orchard Medical Consulting

Orchard Medical Consulting, which provides nurse case management services related to workers’ compensation claims, submitted a report that an unauthorized person got access to an employee’s email account and possibly viewed PHI kept in the account.

Orchard Medical Consulting detected the attack on January 30, 2020 and quickly secured the account. The investigation showed that the account included names and birth dates. The Social Security number and health data like diagnosis, treatment program, and/or health history for a few people were also compromised.

The investigators did not find any evidence of access or theft of data or misuse of PHI. The provider offered the affected persons free membership to TransUnion Interactive’s myTrueIdentity credit monitoring service for extra safety measures. To avert other breaches, Orchard Medical Consulting strengthened its email security, updated its policies and procedures, and implemented multi-factor authentication.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at