Getty Images/iStockphoto

Yale New Haven Hospital Research File Implicated in Healthcare Data Breach

Yale New Haven Hospital, Express Scripts, and Alliance Physical Therapy Group all disclosed separate healthcare data breaches recently.

Yale New Haven Hospital (YNHH) informed an undisclosed number of individuals of a healthcare data breach that involved a radiology file. The file was created for research and was accidentally posted on a public-facing website.

YNHH said that the file “may have been accessed by a small number of people.”

After discovering the breach on April 18, YNHH immediately took the file off the website and engaged a third-party forensic firm. The investigation revealed that the file was accessible on the internet between December 16, 2021, and April 18, 2022.  

“The file was made accessible through human error, was inadvertent in nature and was not due to intentional or malicious actions,” the notice stated.

“A review of the file determined it included name, telephone number, email address, age range, preferred language, medical record number, procedure type, and date and location of service.”

YNHH said it has since reviewed its security permissions and will “provide training and guidance to remind employees of their continued need to safeguard patient health information.”

Express Scripts Detects Unauthorized Mobile App Access

During system monitoring, Express Scripts discovered that an unauthorized actor had accessed accounts via its mobile application between April 30 and May 3, 2022, according to a notice posted on the Vermont Attorney General’s Office website.

The unauthorized actor logged into the Express Scripts app using legitimate usernames and passwords. Express Scripts said it believed that the bad actor obtained user IDs and passwords using publicly available data from another entity’s breach.

While logged in, the bad actor potentially viewed patients’ prescription history from the last 24 months, including names, medication names, physician names, prescription numbers and dosage, and pharmacy names.

At the time of publication, it was unclear how many individuals were impacted by the breach.

“Express Scripts and its Privacy Office have thoroughly investigated the circumstances surrounding this situation and have taken steps to help mitigate any harm that might result from the disclosure,” the notice stated.

“To prevent this from happening again, Express Scripts has locked your web account.”

Express Scripts recommended that users change their passwords on any accounts that used the same login credentials.

Alliance Physical Therapy Group Discloses Data Breach

Alliance Physical Therapy Group (APTG), formerly known as Agility Health, disclosed a data breach that occurred in December 2021. APTG describes itself as the 7th largest physical therapy provider in the US, with more than 100 outpatient physical therapy locations across the country.

APTG discovered suspicious activity on its systems around December 27 and later confirmed that an unauthorized actor may have accessed its systems between December 23 and December 27.

The accessed information potentially included names, Social Security numbers, driver’s license numbers, medical information, health insurance information, financial account information, passport numbers, employer identification numbers, electronic signatures, and usernames and passwords.

“APTG takes the security of information entrusted to it seriously,” the notice continued.

“As part of APTG’s ongoing commitment to the security of information within its care, APTG is reviewing its existing policies and procedures regarding cybersecurity and implementing additional measures and safeguards to protect against this type of incident in the future.”

Next Steps

Dig Deeper on Healthcare data breaches