peach_fotolia - stock.adobe.com

Law Firm Confirms Data Security Incident, 255K Impacted

As previously reported, the data security incident at law firm Warner Norcross & Judd impacted 120,000 Priority Health members.

Law firm Warner Norcross & Judd (WNJ) reported a data security incident to HHS that impacted 255,160 individuals. WNJ discovered unauthorized activity on some of its systems in October 2021 and later determined that some protected health information (PHI) was contained in the systems.

As previously reported, Michigan health plan Priority Health notified 120,000 of its members of the incident in August. Priority Health said that the unauthorized party potentially accessed names, pharmacy and claim information, drug names, and prescription dates from certain prescriptions filled a decade ago.

Based on WNJ’s website notice, it is unclear what other organizations were impacted by the breach. The list of potentially breached data elements was lengthy and included Social Security numbers, names, birth dates, driver’s license numbers, annual compensation amounts, credit and debit card numbers and pins, financial account and routing numbers, patient account numbers, benefit contribution information, health information, and life insurance policy information.

“Data privacy and security are among WNJ’s highest priorities,” the firm stated. “WNJ has taken steps to help prevent a similar incident from occurring in the future.”

NorthStar HealthCare Consulting Notifies 18K of Breach

NorthStar HealthCare Consulting notified 18,354 individuals of a data breach that it discovered in April 2022. NorthStar is a business associate of Optum Rx, which delivers pharmacy benefit management services to the Georgia Department of Community Health, Medical Assistance Plans Division (Georgia DCH).

NorthStar said it discovered suspicious activity on an employee email account and immediately secured the account and began an investigation.

Although NorthStar was unable to determine what data, if any, was viewed or acquired, the account contained full names, addresses, medication names, Medicaid identification numbers, birth dates, prescriber names, and appeal numbers that NorthStar processed on behalf of Georgia DCH.

“NorthStar is committed to, and takes very seriously, its responsibility to protect all data entrusted to us. We are continuously taking steps to enhance data security protections,” the notice stated.

“As part of our incident response, we changed user account passwords to prevent further unauthorized access. We have also continued ongoing efforts to enhance security controls and to implement additional controls to help protect our systems from unauthorized access.”

Illinois OB/GYN Suffers Hard Drive Loss

AdventHealth Medical Group OB/GYN at Woodridge (AHMG Woodridge OB/GYN) notified 2,001 patients of a data security incident that involved a lost hard drive.

The Illinois practice said that it recently discovered that an external hard drive used to transfer OB/GYN ultrasound images from the ultrasound machine to a backup computer was missing. It is unclear when the loss was first discovered.

“We initiated a comprehensive search for the hard drive itself and a review to determine the data that had been stored on it as well as any security features – such as password protection or encryption,” the notice stated.

AHMG Woodridge OB/GYN was unable to find the hard drive and had no reason to believe that the information was misused.

“However, based on the outcome of the investigation, we determined on June 20, 2022, that there was a potential for breach of certain unencrypted health information contained on the external hard drive, and therefore, are making you aware of the incident,” the notice continued.

The information on the device potentially included patient names, patient identification numbers, birth dates, dates of service, and ultrasound images.

“Protecting the privacy and security of information entrusted to AHMG Woodridge OB/GYN is very important to us, and we are taking steps to assist those who may be impacted and to ensure this does not happen again,” the notice concluded.

Next Steps

Dig Deeper on Healthcare data breaches