Gorodenkoff - stock.adobe.com

Data Breaches Hit Saltzer Health, Loyola University Medical Center

The sector continues to be a prime target for healthcare data breaches that lead to network outages, data exfiltration, and PHI exposure.

Hospitals and outpatient facilities, both large and small, continue to be the targets of healthcare data breaches, placing additional strain on an already overworked sector.

The new year began with the announcement of a protected health information (PHI) breach and data exfiltration at Broward Health, impacting 1.3 million individuals. Clinical data technology vendor Ciox Health recently reported a breach that impacted 32 healthcare organizations across the country.

During the first week of January, Missouri-based Capital Region Medical Center (CRMC) announced that it had made significant progress on restoring its systems after a system-wide network outage that impacted the center’s phone and computer systems. Three weeks later, CRMC’s website, patient portal, and online bill pay services are back online.

Meanwhile, other healthcare organizations are just beginning to recover from their own security incidents.

Saltzer Health Faces Email Breach, Potential PHI Exposure

Idaho-based Saltzer Health, part of Intermountain Healthcare, recently began notifying patients of a data breach that occurred from late May to early June 2021 and impacted 15,650 individuals.

Saltzer Health noticed suspicious activity on June 1 and determined that an unauthorized third party accessed an employee email account. On September 21, Saltzer Health determined that it could not rule out the possibility that the unauthorized individual could have viewed protected health information.

The information involved included names, driver’s license numbers, contact information, medical record numbers, prescription information, medical history, and diagnosis and treatment information. For some, Social Security numbers and financial account information were impacted.

Saltzer Health said that it currently has no evidence that any of the information was used to commit identity theft or fraud.

After discovering this incident, Saltzer Health said it worked to reset the password of the impacted email account, monitor network activity, and provide notification to affected individuals as soon as possible.

“Saltzer Health encourages all individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements and explanation of benefits, and monitoring free credit reports for suspicious activity,” the practice stated in its website notice.

Florida Pharmacy PHI Breach Impacts Nearly 40K

Florida-based MedQuest Pharmacy notified HHS of a PHI breach that impacted 39,447 individuals. In a notice on its website, MedQuest said it became aware of the data security breach on November 18, 2021.

Upon discovery, MedQuest engaged its parent companies, UpHealth and Innovations Group, to secure the network and begin an independent forensic investigation. The investigation determined that the breach began around October 27 and that the network was secured as of October 30, despite MedQuest not discovering the breach until mid-November.

The notice did not specify the nature of the incident or what systems specifically were impacted.

An unauthorized third party may have obtained PHI, including names, medical record numbers, prescription information, referring doctors, dates of treatment, health insurance policy numbers, genders, email addresses, mailing addresses, telephone numbers, and internal MedQuest patient identification numbers. A small subset of individuals may have had their Social Security numbers and financial information exposed.

MedQuest is offering impacted individuals one year of free credit and identity monitoring through Equifax.

Loyola University Medical Center Faces Email Security Incident

Loyola University Medical Center (LUMC), which is a member of Trinity Health, announced that it suffered an email security incident that may have exposed the PHI of 16,934 individuals.

LUMC became aware of suspicious activity on October 31, 2021, and later determined that an unauthorized individual had gained access to an employee email account between October 29 and 31. LUMC said it secured the account immediately.

The medical center’s notice said that it was unable to determine what, if any, emails were viewed. As a result, LUMC notified patients whose information may have been accessible within the email account at the time of the security incident.

The exposed information potentially included names, phone numbers, birth dates, addresses, email addresses, medical record numbers, medications, test results, types of service, and health plan information.

LUMC will offer a year of free credit monitoring and dark web monitoring to impacted individuals.

“It is our privilege to serve your health care needs,” LUMC told patients in its notice.

“We want to assure you that LUMC takes our responsibility to safeguard protected health information very seriously, and we deeply regret any inconvenience or concern this situation may have caused you. We believe this to be an unfortunate and isolated incident.”

Next Steps

Dig Deeper on Healthcare data breaches