Share this article on:

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

Follow Us

Share this article on:

The Ullico Inc. subsidiary, Union Labor Life Insurance (ULLI), is notifying more than 87,000 plan members that some of their protected health information (PHI) has been exposed as a result of an employee responding to a phishing email.

As is often the case in healthcare phishing attacks, the phishing email was realistic and appeared to be a genuine request from a business partner. The email contained a hyperlink which asked for login credentials to be entered when clicked. The employee entered the credentials, which were harvested by the attacker and used to remotely access the account.

ULLI had systems in place which alerted the information technology department to the unauthorized access. The IT department blocked third-party access to the account within 90 minutes of the account being compromised on April 1, 2019 and disconnected the device from the network. The prompt action greatly limited the potential for the accessing or theft of protected health information contained in emails and email attachments.

ULLI conducted a forensic analysis and determined that access was limited to a single email account on one device. However, that email account was confirmed to contain the PHI of plan members in emails and email attachments.

While the investigation found no evidence to suggest patient information was accessed or stolen, the possibility could not be ruled out with a sufficiently high degree of certainty.

The protected health information that was potentially compromised was limited to: Names, addresses, dates of birth, Social Security numbers, and some personal health information of plan members and their family members.

As a precaution, ULLI has taken the decision to offer all affected individuals 24 months of complimentary credit monitoring and identity theft protection services.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, up to 87,400 patients have been affected by the breach.

Follow Us

Share this article on:

A former employee of a Germantown, MD-based healthcare provider is suspected of accessing the protected health information of up to 16,542 patients and providing that information to a third party for use in fraudulent activities.

On April 10, 2019, Takai, Hoover & Hsu, P.A., which runs THH Paediatrics in Germantown, was notified by county and state police that an individual had been arrested as part of an investigation in a matter unrelated to THH.

That individual was associated with an employee of THH who is suspected of accessing and impermissibly disclosing patient information including names, dates of birth, Social Security numbers, and addresses of the parents of patients.

Immediate action was taken by THH to investigate the allegations. Access to patient data was restricted for the employee, who was placed on leave on April 16 pending the outcome of the internal and law enforcement investigations.

The former employee has not been charged at this stage and no direct evidence has been found to suggest that any patient information was taken and misused; however, THH took the decision to fire the employee on May 3, 2019 after receiving further information from law enforcement. The matter has also been reported the Maryland Board of Nursing.

THH has hired a computer forensics company to conduct a detailed investigation of its computer systems to determine what, if any, protected health information has been accessed and whether information was copied.

Monroe County Hospital Notifies 10,970 Patients About PHI Breach at Navicent Health

Monroe County Hospital (MCH) in Forsyth, GA, is notifying 10,970 patients that some of their PHI may have been compromised in a security breach at one of its vendors.

On March 26, 2019, the hospital was informed by Navicent Health that some patient information was potentially compromised in a recent cyberattack. An unauthorized individual had gained access to the email accounts of several Navicent Health employees and potentially accessed MCH patient data. This was part of a much larger breach affecting more than 278,000 patients.

The forensic investigation revealed the following PHI may have been compromised: Names, addresses, dates of birth, medical record numbers, limited health information, and for certain individuals, driver’s license numbers or Social Security numbers.

All affected individuals were mailed notification letters on May 24.

Follow Us

Share this article on:

Employees of Turlock Irrigation District in California who are members of their employer-sponsored health plan are being notified that some of their protected health information has been exposed online as a result of an error at a business associate.

Delta Health Systems (DHS) provides administrative services related to the health plan and requires access to certain protected health information. Some of that information was made accessible over the internet through a link to a DHS webpage.

The error was made by third-party website developer. While the website had been configured to restrict access, there was a conflicting setting which provided general access to the document which took precedence.

Affected plan members have been told that their billing statement for their employee-sponsored health plan could have been accessed by unauthorized individuals during the time it was accessible over the internet. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number.

All affected members have been offered one year of free membership to credit monitoring and identity theft protection services through Experian.

The issue was identified and corrected on April 18, 2019. It was not possible to determine when the error was introduced and for how long plan members’ personal information was exposed. It was not possible to determine whether any unauthorized individuals accessed the billing statements while they were unprotected.

In addition to correcting the problem, DHS has contacted search engines to request the removal of all cached content. DHS is also revising its security policies and procedures and has built a new, more secure website that lacks the software that was misconfigured.

The incident has been reported to the California Attorney General but has not yet been listed on the HHS’ Office for Civil Rights website, so it is currently unclear how many plan members have been affected.

Ellwood City Medical Center Investigating Cyberattack

Officials at Ellwood City Medical Center, in Ellwood City, PA, are currently investigating a cyberattack that compromised part of its systems. The attack appears to have started on or around Saturday May 27, although at this stage, no further information has been released. Analyses are ongoing to determine whether any patient records have been compromised.

The cyberattack comes at a time when the Americore Health-owned medical center is embroiled in problems associated with billing and payroll and is being investigated over late payments of wages to staff.

Follow Us