Ryan Black

Original image courtesy of Wikimedia Commons user Evan-Amos. Image has been altered for effect.

A dozen institutions have so far reported February incidents where patient protected health information (PHI) may have been compromised. As many as 140,000 patients may be affected.At least it wasn’t as bad as January’s reporting . In the first month of 2018, healthcare organizations reported a total of 18 breaches affecting over 400,000 patients, although that bloated total was largely driven by a single hacking incident against Oklahoma State University Center for Health Sciences that exposed nearly 280,000 records.Healthcare entities must notify the Department of Health and Human Services Office of Civil Rights (OCR) of any breach compromising 500 or more patient records within 60 days of discovery. Many of the events reported in February may have begun in months before and only been reported after internal investigations.Here’s what healthcare organizations reported in February. As notifications tend to trickle in days or weeks into the following month, check back for an updated post.Last month, the total was driven by human error as opposed to malicious actions. More than 80% of the 140,335 affected patients had their information exposed in unauthorized access or disclosure incidents.The largest reported event appeared on the OCR breach page without fanfare on the afternoon of March 1st: Tufts Associated Health Maintenance Organization, a large Massachusetts-based insurer, reported a disclosure of over 70,000 paper or film records. No further details were immediately available, although Healthcare Analytics News™ has reached out to the payer for comment.The second-largest was reported by the Puerto Rico Health Plan Triple-S Advantage, which inadvertently mailed health information to the wrong patients—more than 36,000 times. Social Security numbers were not included, according to the company, but patient identification numbers, names, and procedure codes were.Other entities reporting incidents were CarePlus Health Plan (11,248 patients) and the Missouri Department of Mental Health (1,000 patients).So far, the OCR shows that 6 hacking incidents were reported in February. The University of Virginia Medical Center detected malware on a physician’s computer that may have allowed a hacker to view health records of 1,882 patients between 2015 and 2016, according to the FBI. The hacker was arrested, and UVA Health put out a statement saying that they did not “take, use or share patients’ information in any way,” though patients were notified as a precaution.A practice in Alabama reported that in December, it suffered a ransomware attack that encrypted the electronic health records of 6,550 patients. In a statement, Jemison Internal Medicine said it did not pay the ransom, and was able to restore its files from a backup.But that breach was edged out by an incident that compromised a California pharmacy system’s emails. In October, Ron’s Pharmacy Services noticed what it called “unusual activity in an employee email account.” An outside actor may have had access to the names, pharmacy account numbers, and payment adjustment information of 6,781 patients.The 3 other organizations reporting hacking incidents were Partners HealthCare System in Massachusetts (2,450 patient), Coastal Cape Fear Eye Associates in North Carolina (925 patients), and Forrest General Hospital in Mississippi (1,670 patients).Only about a tenth as many patient records were reported potentially compromised by loss or theft as in January. In 2 incidents, 1,204 patients were reported to have been put at risk.The City of Detroit apparently lost some sort of electronic portable device containing information on 544 of those patients.Eastern Maine Medical Center in Bangor, Maine, notified 660 patients that an external hard drive containing their PHI could not be located, though it stressed in a statement that “Social Security numbers, addresses, and financial information were not stored on this device.”The device belonged to a third-party vendor. Although the organization simply said in its statement that the device couldn’t be found, it reported the incident to OCR as a theft.