St. Luke’s Health-Memorial Lufkin, Iowa Total Care and RiverPointe Post Acute Reported Breaches

CHI St. Luke’s Health-Memorial Lufkin in Texas sent notification letters to patients regarding the potential exposure of their protected health information (PHI).

St Luke’s threat management team investigated a security breach of a network server on March 25, 2020. On April 23, 2020, an investigation by third-party specialists affirmed that an unapproved external party most likely accessed the email accounts of two employees.

The investigators found no evidence of unauthorized data access or data theft. Nonetheless, the risk can’t be ruled out. The employee email accounts had stored information like names, diagnosis information, facility account numbers, and service dates. Based on the investigation, St. Luke’s is confident that patient information was not misused. Nevertheless, selected patients got offers of credit monitoring services via Experian for free as a protective measure.

St. Luke’s looked into the security breach carefully, examined data access records, and conducted a threat intelligence evaluation. All security passwords had been reset all through the facility, altered and improved hardware, upgraded security by updating the software, and revised procedures for system access.

The HHS’ Office for Civil Rights hasn’t posted the breach information yet on its website, thus there is no confirmed number of affected patients yet.

633 Patients’ PHI Missing at RiverPointe Post Acute

RiverPointe Post Acute in Carmichael, CA advised 633 nursing home residents concerning the potential compromise of their PHI. The provider mailed a USB storage device with information like names, insurance ID numbers and certain Social Security numbers, however, it did not reach its destination. After informing the postal office, the staff quickly tracked the storage device, but it can’t be found.

Though there is no specific evidence found that suggest an unauthorized person took the device, the people affected by the breach were provided complimentary identity theft protection services for safety. Employees will be provided more training on data security.

Exposed 11,500 Iowa Total Care Members’ PHI Because of Email Error

Iowa Total Care found out that a staff committed an impermissible disclosure of PHI of countless patients. On April 29, 2020, staff sent an Excel file containing claims data to another big service company. The Excel file kept the PHI of patients who have yet to avail of any healthcare at the company.

The spreadsheet contained 11,581 patients’ names, Medicaid ID numbers, diagnosis codes, procedures, and birth dates. Because Iowa Total Care is a HIPAA covered entity, it needs to secure PHI and delete the Excel file. Further, Iowa Total Care must ensure that no information was duplicated or disclosed. Employees had undergone training. More safety measures in place will avert the same future breaches.