Health plan Total Health Care Inc based in Detroit, MI has learned unauthorized people have gotten access to a number of personnel email accounts that enclosed sensitive personal data of health plan members and doctor associates.
Upon uncovering the breach, the health plan immediately secured the email accounts to avoid continuing unauthorized access and engaged security specialists to perform a forensic analysis to find out the type and extent of the breach. The results of the investigation showed that the breach only affected email accounts. Unauthorized individuals accessed them from December 16, 2020 to February 5, 2021.
There was no evidence found that indicates the viewing or misuse of any protected health information (PHI), however, unauthorized access cannot be eliminated. Analysis of the emails within the accounts showed they comprised names, birth dates, addresses, member IDs, claims details, and Social Security numbers.
Because of the sensitive character of information within the accounts, impacted persons were provided complimentary credit monitoring services for about two years via CyberScout. Measures had been undertaken to enhance email security, which includes going over and revising policies and processes and giving extra security awareness instruction to the employees.
The health plan already reported the breach to the HHS’ Office for Civil Rights as impacting 221,454 people.
Harrington Physician Services Reports Potential Breach of a Patient Mailing List
Harrington Physician Services based in Southbridge, MA is informing 4,393 patients with regards to the potential exposure of some of their PHI. It was later learned that a mailing list was loaded to a place inside its information system that wasn’t designed to store patient information. Consequently, it’s possible that people beyond Harrington Physician Services might have accessed the mailing list, which contained names, addresses, ages, birth dates, primary care doctor names and most recent office visit date.
The investigation didn’t find any proof that indicates accessing the mailing list, however, it wasn’t possible to exclude a breach. Exposure of the mailing list was just for a brief time period and, to be able to access the mailing list, a person needs to access the network where it was kept. The danger to patients is for that reason considered to be minimal; nevertheless, as a safety measure, impacted patients were advised and given details about credit protection and monitoring services.