Getty Images/iStockphoto

Excel File Exposed to Internet at CA Health System

A San Francisco-based health system notified patients of a security incident that occurred when an Excel file containing protected health information was accidentally exposed to the internet.

San Francisco-based John Muir Health (JMH) notified 821 patients of a security incident that occurred when an Excel file containing patient information was accidentally exposed to the internet. JMH includes two of the largest medical centers in California’s Contra Costa County: John Muir Health Walnut Creek Medical Center and John Muir Health Concord Medical Center.

“On March 22, 2023, the JMH Privacy Office was notified that a website developed to facilitate more efficient communication among staff and centralize information (e.g., vendor sites, ordering forms, and medical equipment information) linked to an excel file containing identifiable patient information,” the notice explained.

“The excel file contained names, facility information, patient room numbers, diagnosis/condition information, and dates.”

The staff member who created the site did not realize that the file could have been accessible to people outside of JMH. The site was published on July 1, 2021 and the link was disabled on March 23, 2023.

JMH said that no external third party viewed the information between September 28, 202 and March 23, 2023, but was unable to determine whether anyone viewed it between July 1, 2021 and September 27, 2022.

“At John Muir Health, protecting and securing patient information is a top priority. We deeply regret any inconvenience and stress this incident may have caused patients,” the notice concluded. “We are currently reviewing this matter and, at minimum, are re-educating staff and reviewing our policies and practices so that we can prevent a future occurrence.”

NJ Counseling Service Provider Suffers Breach

NewBridge Services, which provides counseling and addiction services to children, adults, and seniors in New Jersey, disclosed a data security incident that potentially impacted current and former patients. It is unclear how many individuals were impacted.

NewBridge discovered a disruption in access to some of its systems on January 26, 2023 and immediately launched an investigation.

The investigation determined that some protected health information (PHI) may have been impacted by the incident, including names, Social Security numbers, treatment information, prescription information, dates of birth, provider information, payment information, and health insurance information.

“NewBridge has taken steps in response to this incident and has made alterations to its cyber environment to help prevent similar incidents from occurring in the future,” the notice stated. “NewBridge has also reported the incident to law enforcement.”

NewBridge began notifying impacted individuals of the incident on April 17.

Two Rivers Public Health Department Experiences Breach

Two Rivers Public Health Department (TRPHD) experienced a data breach involving its server infrastructure in November 2022, a notice stated. TRPHD serves the Buffalo, Dawson, Franklin, Gosper, Harlan, Kearney, and Phelps Counties in Nebraska.

On November 9, TRPHD was notified of suspicious activity involving its server infrastructure. The health department was advised by an external firm that the event did not appear to be a breach. Further investigation determined that an unauthorized party had accessed one TRPHD employee’s Office365 account between September 14 and November 8.

“While the forensic investigation was inconclusive as to any access to or acquisition of personal information and/or protected health information within the impacted account, TRPHD undertook a comprehensive and time intensive review of the entire contents of the impacted account to determine the presence of any personal information and/or protected health information contained therein.” The notice stated. 

“The investigation identified the existence of certain personal information and/or protected health information within the impacted mailbox.”

The notice did not specify the types of information included in the breach. TRPHD said it changed all email account passwords and implemented additional measures to prevent future security incidents.

Next Steps

Dig Deeper on Healthcare data breaches