Getty Images/iStockphoto

News

HSA administrator discloses healthcare data breach

In an SEC filing, HealthEquity disclosed a healthcare data breach that stemmed from unauthorized access to a business partner’s user account.

Jill McKeon
By
Published: 09 Jul 2024

HealthEquity, a health savings account (HSA) administrator, disclosed a healthcare data breach in a recent Securities and Exchange Commission (SEC) Form 8-K filing.

According to the filing, HealthEquity discovered the breach earlier this year through routine monitoring. The company discovered anomalous behavior on a personal use device belonging to a business partner.

HealthEquity later determined that an unauthorized party had accessed the partner’s user account and transferred some personally identifiable information off the partner’s systems. The information involved in the incident included protected health information pertaining to HealthEquity members.

HealthEquity did not find any malicious code on its systems and did not experience any disruptions. The company said it has since taken steps to strengthen its security environment and is in the process of notifying partners, clients and individual members whose information was involved.

Palomar Health Medical Group suffers data breach

Palomar Health Medical Group (PHMG) alerted patients to a data breach that occurred from late April to early May 2024. The investigation is ongoing, and PHMG has not yet been able to determine the specific individuals and information involved in the breach.

PHMG is a multi-specialty, non-profit healthcare organization that serves patients in northern San Diego County. It also encompasses the formerly named Arch Health Medical Group and Graybill Medical Group.

PHMG discovered suspicious activity on certain systems within its network on May 5, 2024. PHMG immediately launched an investigation and determined that an unauthorized party gained access to certain files and potentially copied those files. Some of the files may be unrecoverable.

“However, PHMG is continuing its efforts to restore all files and identify the specific individuals and information that may have been impacted so it can provide individualized notice with additional information when its investigation is complete,” the notice stated.

At this stage of the investigation, PHMG’s assessment concluded that the breach may have involved names, Social Security numbers, medical treatment information, and financial information.  

DaVita discloses tracking pixel use

DaVita, which provides dialysis and integrated healthcare management services, informed users of its website health portal and Care Connect mobile application of its use of online tracking technologies.

DaVita stated that these technologies may have transmitted personal information to certain third-party vendors when users accessed the health portal or mobile app. DaVita used these tools to understand how visitors interacted with its websites.

The information that was potentially sent to third parties included IP addresses, usernames, employment status, certain demographic information, and information showing how the users interacted with DaVita’s health portal or mobile app. First and last names were not included, unless they were part of a user’s username.

“We have conducted a voluntary internal investigation into the use of these online technologies and removed or disabled these technologies if we could not find a HIPAA-compliant service to provide them,” DaVita stated.

“In addition, DaVita has implemented new policies and additional training on the use of online tracking technologies to safeguard against recurrence of this type of incident.”

DaVita encouraged users to block or delete cookies to prevent the use of tracking tech. The company also encouraged users to use “incognito” mode and adjust privacy settings where available.

Next Steps

Dig Deeper on Healthcare data breaches

xtelligent Health IT and EHR
xtelligent Healthtech Analytics
Close