Nebraska Medicine found out that an employee gained access to patients’ medical files without any legit work reason for a period of roughly three months.
Nebraska Medicine discovered the privacy violation when it conducted a routine audit of its medical record system. The audit revealed that the employee’s first access to the patient records was on July 11, 2019 and kept on doing so until October 1, 2019 when the company discovered the privacy violations.
Upon discovering the breach, steps were undertaken to avoid even further unauthorized access as the investigation of the issue was ongoing. The employee in question was dismissed from work a day after the discovery of privacy violations.
Based on a statement presented by Nebraska Medicine, the affected people received notifications by mail and any person who had his/her Social Security number potentially compromised received complimentary credit monitoring services for 12 months as a precautionary measure.
Nebraska Medicine believes that no sensitive information was or will be misused, insinuating that the employee was just curious about accessing the records. The number of individuals affected at this stage is uncertain.
The breach notification letter sent to affected patients indicated that the types of information potentially accessed includes names, addresses, birth dates, Social Security numbers, medical record numbers, driver’s license numbers, clinical data, physicians’ notes, lab test results and medical pictures.
Phishing Attack at Presbyterian Healthcare Services
Presbyterian Healthcare Services announced in August 2019 the compromise of several employees’ email accounts as a result of a phishing attack.
Presbyterian Healthcare Services found out about the breach on June 9. The investigators pointed out that the affected accounts contained 183,370 patients’ protected health information (PHI). Though the provider already sent notifications, the breach investigation still continued. Presbyterian Healthcare Services now found out that the breach was bigger than earlier thought. The compromised email accounts comprised of 276,000 patients’ PHI.
More notification letters were sent to patients on November 25. The notices stressed that there was no evidence indicating that any PHI was accessed, downloaded or misused. It was additionally proven that only the email system was impacted. The attackers had no access to medical files or its billing platform.