Getty Images/iStockphoto

GA Health System Reports Healthcare Data Breach

Emory Healthcare (EHC), Epic Management, and NYC Health + Hospitals recently disclosed healthcare data breaches.

Georgia-based Emory Healthcare reported a healthcare data breach that impacted more than 1,000 individuals and potentially exposed protected health information (PHI).

Through a notice from the United States Department of Labor (DOL), Emory Healthcare became aware of an employee inappropriately accessing at least 1,600 patient records between December 2020 and December 2021.

Further investigation revealed that the now-former employee released demographic information from several hundred employees to individuals involved in unemployment benefits fraud.

The potentially impacted demographic information included names, dates of birth, and Social Security numbers. Investigators found no evidence that any medical histories, tests, laboratory results, diagnosis and treatment plans, or insurance information were compromised.

During the investigation, Emory Healthcare stated it has “fully cooperated with law enforcement during the investigation, arrest, and prosecution of individuals involved in the matter and will continue to do so as the case moves forward. EHC followed the instructions of the DOJ regarding the timing of this notification and is now notifying patients whose information is believed to have been involved in this incident and for whom EHC had last known addresses.”

Healthcare Management Company Discloses Data Security Incident

Epic Management, a healthcare management company, experienced a data security incident involving the exposure of some patient information.

Epic noticed unusual activity in its digital environment on September 2, 2021. Upon the unusual discovery, the organization said it immediately followed through with steps to secure the domain. Later, Epic engaged independent cybersecurity experts to undergo an intensive investigation, learning that some PHI may have been impacted on December 9, 2022.

This security event may have included names, dates of birth, Social Security numbers, health insurance information, medical information, driver’s licenses, passport numbers, financial account numbers, routing numbers, biometric data, as well as usernames and passwords,

Since its investigation, there has been no evidence to suggest any information was misused, and it was unclear how many individuals were impacted by the breach.

“While Epic has no evidence that any information potentially involved in this incident has been misused, out of an abundance of caution, Epic is informing affected individuals about the steps they can take to help protect their information,” the report stated.

Missing Hard Dive Poses Data Security Risk for Over 2K Patients

NYC Health + Hospitals informed 2,174 patients of a data security incident that may have impacted personal and medical information. The incident was discovered in June, and the integrated healthcare system began notifying patients on November 29.

According to a notice on its website, NYC Health + Hospital incident involving potentially comprised PHI stemmed from a missing, defective hard drive that was removed from a visual field-testing device at the organization’s Woodhull location.

The organization noted that no financial information or other personal identifiers were impacted by the security incident. However, the hard drive did store PHI, including dates of birth, medical record numbers, and visual field test result.

The investigators have not found evidence that any information has been misused but out of an absence of caution, notifying all individuals affected by this incident.

Following this incident, the integrated healthcare system will take several steps to avoid future incidents, such as educating employees on existing policies and practices of the proper chain of custody for devices containing PHI.

“In order to minimize any potential future compromise of PHI, NYC Health + Hospitals has begun implementing a data removal process for the visual field-testing device to ensure that data is removed on a regular basis,” the report said.

Additionally, the organization stated, “NYC Health + Hospitals will enhance its training to ensure that all staff are aware of the need to promptly notify the OCC of any incident in which patients’ PHI might be compromised.”

Next Steps

Dig Deeper on Healthcare data breaches