Stephan C Dean, the co-owner of Surefile, submitted a hacking/IT incident report to the HHS’ Office for Civil Rights (OCR) on March 4, 2020. The California record storage company indicated that the incident impacted more than 70,000 people.
Stephan Dean and his wife were involved in a long term legal fight with Kaiser Permanente regarding the giving back and deleting of electronic files that contain patient data. Kaiser Permanente wanted the files to be completely deleted; nevertheless, Stephan Dean asserts that Kaiser Permanente owes him payment for the services provided. The on-and-off legal action was subsequently ditched, however, the electronic files were not given back or deleted.
Surefile was Kaiser Permanente’s business associate, that is why Surefile got paper copies of health records from Kaiser Permanente in 2008. After Surefile and Kaiser Permanente’s business agreement ended, Stephan Dean gave back the paper copies of health records to Kaiser Permanente; but Stephan Dean still has the emails containing patient data on his computer. Stephan Dean submitted to OCR a complaint regarding the alleged HIPAA violations pertaining to the emails and the absence of a business associate agreement. Although OCR opened a case and investigated the matter, the case was subsequently closed without issuing a penalty.
On August 20, 2019, Microsoft informed Stephan Dean that an unauthorized person potentially accessed his MSN email account. The account involved contained spreadsheets and other files sent by Kaiser Permanente to Stephan Dean.
Stephan Dean just talked with Dissent of databreaches.net and mentioned that the 70,000 records merely represent a data sample. The actual number may be approximately 1 million records, which can just be confirmed by forensic accounting.
Email Security Breach at Golden Valley Health Centers
The patients of Golden Valley Health Centers, which comprise of the healthcare centers located in the Modesto, Merced, and Central Valley regions of California, received notifications about the exposure of some of their protected health information (PHI). An unauthorized person accessed an account containing email messages and file attachments with patient information. Golden Valley discovered the breach on March 3, 2020 and had forensic investigators looking into the incident.
An analysis of the account confirmed that it contained information such as names, billing data, medical insurance data, patient referral details and appointment records. Although the investigation established that an unauthorized person accessed the email account, there is no proof of data theft or misuse found.
Because of the breach, Golden Valley Health Centers is examining and updating its information security guidelines and privacy practices. Employees will also be provided with further training.
The summary report posted on the HHS’ Office for Civil Rights breach portal indicates 39,700 patients were affected.