Breaches At Northwestern Memorial Hospital, Five Points Eye Care, and Apex Laboratory

Northwestern Memorial Hospital in Chicago found out that an old temporary employee may have viewed the medical records of selected patients without proper authorization while doing work at the hospital.

The hospital detected unauthorized data access on December 2, 2020. An analysis of access logs revealed the staff accessed patient information without a work-connected purpose for doing so from October 27, 2020 to December 2, 2020. The data probably accessed only included names of patients, addresses, and treatment details. The person did not get access to financial data or Social Security numbers.

Northwestern Memorial Hospital gave a report regarding the privacy breach stating that the data of 682 patients might have been viewed and said that the non-permanent staff is not working at the hospital any longer. It is not clear why the information was accessed. The hospital is notifying all affected patients about the privacy breach through the mail and has reported the incident to the appropriate authorities.

Potential Breach of Patient Information at Athens Optometrist

Five Points Eye Care located in Athens, GA has learned that an unauthorized individual acquired access to its network and possibly viewed/obtained patient data. The breach happened on October 27, 2020 and was identified and remediated the same day.

The breach just impacted the email system that contained communication routed to the optometrist from other treating physicians. The information in the email messages included names, birth dates, Social Security numbers, addresses, prescription drugs, and treatment plans. A forensic investigation established that the unauthorized individual did not access any other data.

Five Points Eye Care reported the security breach to law enforcement, mailed notifications to affected individuals, and offered free credit monitoring services for one year.

Apex Laboratory Encountered a DoppelPaymer Ransomware Attack

In July 2020, Apex Laboratory, a home laboratory services provider in New York and South Florida, encountered a DoppelPaymer ransomware attack. The DoppelPaymer ransomware gang uploaded thousands of records recently to its data leak site. Many of the information contained the protected health information (PHI) of patients and sensitive employee information.

Databreaches.net reports that after getting in touch with Apex Laboratory concerning the data breach, the dumped information was deleted from the DoppelPaymer leak website. Apex Laboratory posted a breach notice on its website on December 31, 2020 confirming that it experienced a ransomware attack on July 25, 2020, but the encrypted information was restored on July 27, 2020.

It is presumed that the data uploaded to the leak site was obtained in the July cyberattack. Apex Laboratory stated that after getting notification regarding the dumped files, it took steps immediately to make sure the attackers deleted the data files from the leak website. The dumped records are believed to have patient names, dates of birth, lab test results, and the phone numbers and Social Security numbers of some patients. The breach investigation is in progress and the provider will mail breach notification letters to victims in a couple of days.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.