Getty Images/iStockphoto

NM Radiology Practice Health Data Breach Results in PHI Exposure

New Mexico-based Radiology Associates of Albuquerque discovered a health data breach in August 2021 that involved unauthorized access to patient PHI.

Radiology Associates of Albuquerque, also known as RAA Imaging, informed an undisclosed number of patients of a health data breach involving protected health information (PHI) exposure.

The breach stemmed from a cyberattack that was detected over a year ago. After discovering the cybersecurity incident in August 2021, RAA immediately launched an investigation of the incident.

After launching the investigation, RAA determined that on July 22, 2021, and August 3, 2021, certain documents stored within its environment were copied from the system as part of the cyber incident.

Further investigation revealed that an unauthorized party had accessed email accounts at differing times between December 22, 2020, and July 15, 2021.

The potentially impacted information involved names, contact information, Social Security number, medical conditions, medical history, treatment information, patient account numbers, health insurance, and other PHI.

“The confidentiality, privacy, and security of information within its care are among RAA’s highest priorities,” the radiology practice wrote. “Upon learning of the event, RAA promptly took steps to secure its systems and investigate the full scope of the incident.”

As a part of its reconciliation process, it identified appropriate contact information for specific individuals.

Recently, RAA began notifying impacted individuals of the breach so that patients may take the appropriate steps to protect their personal information.

“RAA encourages individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements and explanation of benefit forms and monitoring free credit reports for suspicious activity and to detect errors,” RAA said.

Improper PHI Disposal Creates Patient Privacy Concerns at NJ Hospital

The Valley Hospital announced it has begun notifying individuals of an accidental patient privacy event that involved improper PHI disposal.

On August 29, 2022, the New Jersey-based hospital discovered that some “Post-COVID-19 Testing Patient Instructions” were accidentally disposed of in a recycling bin at an outpatient COVID-19 testing facility.

After learning of the event, an investigation was promptly launched, according to a notice on the hospital website. The Valley Hospital also attempted to retrieve the improperly disposed instruction, but its efforts were unsuccessful.

“Through its investigation, The Valley Hospital determined that the Instructions included the names of the providers administering the COVID-19 test, and label with the patient names, medical record numbers, service dates, and location codes for the patients’ scheduled procedure,” the hospital stated.

“The Instructions DID NOT include patient addresses, phone numbers, insurance identification numbers, Social Security numbers, positive or negative status, procedure type, or any other information that constitutes protected health information.”

The Valley hospital said it has no evidence that any patient PHI was acquired or misused. However, out of an abundance of caution, all patients tested at that facility between June 1, 2022, and September 1, 2022, will notify all patients.

“Based on the limited nature of the information involved, patients tested at that facility are unlikely to be at risk of identity theft or data misuse, and no further action on their part is needed,” the hospital stated.

Health Insurance Agency Suffers Data Security Incident, Over 8K Impacted

CareOregon became aware of a data security incident that exposed PHI for over 8,000 current members of the health insurance agency.

On August 9, 2022, marketing letters containing members’ PHI, including name and Medicaid ID number, were sent out to the wrong address, a website notice stated.

Upon learning of the incident, CareOregon began notifying impacted individuals of the incident. Additionally, the health insurance agency conducted an investigation that concluded this incident poses a low risk of fraud and identity theft.

“The investigation confirmed that the organization has the correct policies and procedures in place to address this type of breach and those processes are reviewed yearly,” CareOregon wrote in the website notice. “We’ve provided additional training to the employee to make sure this doesn’t happen again.”

CareOregon encouraged members who are concerned about the breach to review account statements and credit reports.

Next Steps

Dig Deeper on Healthcare data breaches