Cyberattack Affected 28,000 Clarke County Hospital Patients
Clarke County Hospital based in Osceola, IA, began informing 28,003 present and past patients concerning a security breach that compromised part of their protected health information (PHI). The hospital detected suspicious activity inside its IT system and immediately isolated the network. A third-party digital forensics company helped look into the security breach to find out the nature and extent of the breach. It was confirmed that unauthorized access occurred on April 14, 2023, and that parts of the accessed network included patient data.
There was no compromise of the electronic medical record system and no access to highly sensitive data like Social Security numbers, banking details, credit card data, and/or financial details. The files likely viewed or stolen contained names, birth dates, addresses, medical insurance data, medical record numbers, and certain health details. During the issuance of notifications, there was no report received that indicates any actual or attempted patient data misuse.
Clarke County Hospital stated it immediately made improvements to its system security and engaged experts to carry out an extensive evaluation of system security. Further improvements to security protocols will be done according to the results of the evaluation. The hospital offered free credit monitoring services and identity theft protection services to all likely affected persons for one year and the hospital advises all patients to make the most of those services.
Stolen Laptop Stores Health Benefit Plan Data
An Anchorage School District employee lost a laptop computer from his vehicle, possibly disclosing the PHI of employees protected by its health benefits plan. The theft happened on March 15, 2023, and the school district immediately reported the incident to authorities, yet the laptop remains unrecovered.
The school district promptly looked into the incident and affirmed that the laptop has not reconnected online. An analysis was carried out to find out whether any of the files stored in the laptop was potentially accessed. The analysis discovered that certain files containing names, Social Security numbers, and data associated with registration in the employee health plan were retained for the purpose of human resources and benefits.
Free identity theft protection and credit monitoring services were provided to the 4,598 employees possibly impacted. More training is given to the employees about the need for protecting sensitive data. Portable device security procedures were also improved.
Employee Medical Records Snooping Discovered by Henry Mayo Newhall Hospital
Henry Mayo Newhall Hospital (Henry Mayo) based in Valencia, CA, has learned that an employee accessed the PHI of selected patients with no legitimate work reason. The hospital detected the privacy breach on May 8, 2023, and sent notification letters to impacted persons on May 26, 2023.
The investigation revealed that the employee had viewed patient data including names, dates of birth, visit numbers, medical record numbers, and clinical information like vital signs, diagnoses, and narrative clinical records. The employee was questioned concerning the unauthorized access and Henry Mayo is convinced the employee accessed the records out of curiosity and that there was no further disclosure or misuse of patient data. The hospital did what is necessary as per its sanctions policy to prevent further privacy violations later on. Staff members are provided with continuing counsel and education.
The number of patients that were affected is uncertain at this time.
Arizona Man Gets 54 Months Imprisonment for Criminal HIPAA Violation Case
An Arizona man is sentenced to stay in prison for 54 months due to aggravated identity theft and criminal Health Insurance Portability and Accountability Act (HIPAA) violations. 41-year-old Rico Prunty of Sierra Vista, Arizona, was formerly working at an Arizona medical facility and had illegally accessed the medical intake forms of patients from July 2014 to May 2017. The intake forms contained data covered by HIPAA like names, birth dates, addresses, employer data, diagnoses, health data, and Social Security numbers.
He then gave that data to Temika Coleman, Vincent Prunty, and Gemico Childress. His co-conspirators utilized the stolen data to get credit card accounts using the names of victims. Federal prosecutors working on the identity theft stormed into an apartment connected to the suspects and discovered proof of the creation of credit cards and fraudulent accounts opened using the names of victims. Prunty and his co-conspirators tried to swipe over $181,000 from their victims.
Based on court documents, the PHI of about 500 patients was viewed with no consent, and their data was exposed to Prunty’s co-conspirators. Rico Prunty confessed to committing aggravated identity theft and criminal HIPAA violations for viewing and sharing patients’ PHI. The HIPAA violations penalty is a maximum jail time of 10 years, and aggravated identity is given an obligatory 2 years sentence, which goes consecutively to sentences for other felony crimes. Senior U.S. District Court Judge James Moody enforced a sentence of 54 months along with 2 years of monitored release and Prunty was directed to give $132,521.98 in settlement to the victims.
Prunty’s co-conspirators got the following sentences for their part in the identity theft:
- Vincent Prunty confessed to committing mail fraud, wire fraud, and aggravated identity theft for which he was sentenced to 154 months in jail
- Gemico Childress confessed to committing wire fraud and aggravated identity theft for which he was sentenced to 134 months in jail
- Temika Coleman pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 121 months in jail.
All of them were likewise instructed to pay $181,835.77 in compensation. They will also have 2 years of supervised release.