Arjuna Kodisinghe - stock.adobe.

Several Healthcare Providers Report Recent Data Breaches

The latest data breach roundup includes recent notifications from eight healthcare providers, all of which experienced data security incidents recently.

Several healthcare providers reported healthcare data breaches recently, each potentially impacting thousands of individuals. Along with the breaches described in detail below, Capsule, Alameda Health System, and Allaire Healthcare Group recently reported breaches to the Office for Civil Rights (OCR), but further detail was not posted on the provider’s website at the time of publication.

Val Verde Regional Medical Center Breach Impacts 86K

Val Verde Regional Medical Center (VVRMC) in Del Rio, Texas disclosed a data security incident that impacted 86,562 individuals. According to a notice on its website, VVRMC discovered a data security incident that disrupted its system on March 10, 2022.

Upon discovery, VVRMC engaged a digital forensics firm and later determined that an unauthorized party accessed and acquired certain information, including names, addresses, and Social Security numbers, along with some patient account numbers and medical record numbers.

VVRMC said it was not aware of any misuse of information but encouraged impacted individuals to remain cautious.

“The privacy and protection of personal and protected health information is a top priority for VVRMC, which deeply regrets any inconvenience or concern this incident may cause,” the notice stated.

Allwell Behavioral Health Services Suffers Data Security Incident

Nearly 30,000 individuals were notified of a data security incident at Ohio-based Allwell Behavioral Health Services that occurred in March. Allwell discovered the incident on March 5, and later determined that an unauthorized party had gained access to a computer system used to store quality assurance information related to the treatment of its patients.

“In late April 2022, the investigation concluded and it was determined that it appears likely the unauthorized party was able to take an undetermined number of files containing client information from the computer system,” the notice stated.

The potentially impacted information included names, birth dates, Social Security numbers, addresses, bank routing numbers, bank account numbers, and driver’s license numbers.

“As soon as we discovered the incident, we took the steps described above. Additionally, we have upgraded our information technology and computer systems to provide additional security to protect against further unauthorized access,” the notice concluded.

Cooper University Health Care Data Security Incident Impacts Current and Former Patients

Cooper University Health Care discovered a data security incident on December 13, 2021 that potentially impacted data belonging to an undisclosed number of current and former patients. Cooper is a health system that treats patients throughout South Jersey and the Delaware Valley.

Further investigation revealed that an unauthorized actor had accessed an employee email account around November 24, 2021. By May 10, Cooper determined that the account contained patient names, birth dates, provider names, billing and claims information, medical record numbers, and diagnosis and treatment information.

“The privacy and protection of personal and protected health information is a top priority for Cooper, which deeply regrets any inconvenience or concern this incident may cause,” the notice stated.

“Cooper is working to implement additional safeguards to help ensure the security of its email environment and to reduce the risk of a similar incident from occurring in the future.”

BJC HealthCare Discloses Email Breach

St. Louis, Missouri-based BJC HealthCare disclosed an email security incident that impacted an undisclosed number of patients. BJC discovered the incident on March 29 and later determined that unauthorized access to some BJC physician emails had occurred between March 4 and March 29.

BJC was unable to determine whether the unauthorized party had actually viewed any emails or attachments. The email accounts included patient names, birth dates, provider names, treatment locations, medical record numbers, diagnoses, and clinical information, along with limited Social Security numbers and health insurance information.

The incident only impacted patients whose information was included in those specific email accounts, but the following affiliated hospitals were potentially affected:

  • Alton Memorial Hospital              
  • Missouri Baptist Medical Center
  • Barnes-Jewish Hospital 
  • Missouri Baptist Sullivan Hospital
  • Barnes-Jewish St. Peters Hospital             
  • Parkland Health Center Farmington
  • Barnes-Jewish West County Hospital
  • Parkland Health Center Bonne Terre
  • Christian Hospital            
  • Progress West Hospital
  • Memorial Hospital          
  • St. Louis Children’s Hospital

“We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of patient information,” the notice stated.

“To help prevent something like this from happening in the future, the accounts were secured and we are reinforcing education on how to identify and avoid suspicious emails.”

Jackson County Hospital District Breach Impacts 98K

According to a notice posted on the Maine Attorney General’s Office website, Florida-based Jackson County Hospital District suffered a data security incident in early January. Jackson Hospital “observed unusual activity related to the inaccessibility of certain systems within its network,” the notice stated.

The incident impacted 98,746 individuals. By January 11, Jackson Hospital determined that an unknown actor had accessed its systems and took data, potentially including names, Social Security numbers, medical history, addresses, birth dates, medical condition and treatment information, patient account numbers, and medical record numbers.

“Upon discovering the incident, Jackson Hospital moved quickly to investigate and respond to the incident, assess the security of Jackson Hospital systems, and notify potentially affected individuals,” the notice stated.

“Jackson Hospital is also working to implement additional safeguards and training to its employees.”

Dig Deeper on Healthcare data breaches