Data Breaches

Breach Subtotal

Breach Type: CARD, HACK, INSD, PHYS, PORT, STAT, DISC, UNKN
Organization Type: MED
Year(s) of Breach: 2017
Company or Organization: all
Date Made Public:
May 22, 2018
Company: Muir Medical Group, IPA. Inc.
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
500
What happened? On March 7, 2018, Muir discovered that a former employee of Muir IPA took with her certain information in the possession of Muir IPA before her employment ended with Muir IPA in December 2017. .
 
What information was involved? The information taken by Muir IPA’s former employee may have included your personal information, including demographic information (such as your name, address, email address, telephone number, date of birth, and Social Security number to the extent your Medicare number is derived from your Social Security number), insurance information (such as your health insurance plan name and health insurance identification number), and clinical information (such as your diagnoses, test results, medication information, and other treatment information in Muir IPA’s possession)
 
** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.
 
Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.
 
Information Source:
Security Breach Letter
Date Made Public:
May 16, 2018
Company: Providence Saint John's Health Center
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500
For more information, see the security breach letter sent to the California Attorney General's Office.
 
** Disclaimer ** The number of breached records reported reflects our best estimate, based on all the data currently available. Because the specific number of breached records was not disclosed in the notification letter sent to the California Attorney General’s Office, the number is estimated as the minimum number of breached records necessary to trigger the obligation to notify the Attorney General.
 
Under Cal. Civ. Code §§ 1798.29, 1798.82, notification to the Attorney General is only required whenever a breach of records affects more than 500 California residents.
If you are a business representative and believe this number is inaccurate, please contact us at chronology@privacyrights.org and we will review and update this record.
 
Information Source:
Security Breach Letter
Date Made Public:
April 19, 2018
Company: Blue Shield of California
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
0

 Blue Shield of California admitted to a PHI data breach involving an insurance broker who was not authorized to receive patient information, according to a breach notification submitted to the California Attorney General’s Office. 

The Blue Shield of California Privacy Office received confirmation on March 23, 2018 that a breach had occurred in November 2017 during the 2018 Medicare Annual Enrolment Period when a Blue Shield employee emailed a document containing PHI to an insurance broker “in violation of Blue Shield policies.”

The PHI included names, home addresses, mailing addresses, Blue Shield subscriber identification numbers, telephone numbers, and subscribers’ Blue Shield Medicare Advantage plan numbers.

Blue Shield of California said that it believes the insurance broker may have contacted some of the individuals identified in the document to sell a Medicare Advantage Plan offered by another health insurance company.

The health insurer said that individuals affected by the disclosure are eligible for free identity repair and credit monitoring services.

Information Source:
Security Breach Letter
Date Made Public:
March 30, 2018
Company: Santa Cruz Biotechnology, Inc.
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,657

On Monday, December 18, 2017, Santa Cruz Biotechnology, Inc. discovered a burglary had occurred in the Santa Cruz office on or around December 17, 2017. As a result of an investigation, they determined that two computers were stolen, both of which were used for HR functions, one of which contained information on consumers, including their full name, postal address, date of birth, social security number, and medical and health insurance information.

Information Source:
Security Breach Letter
Date Made Public:
March 15, 2018
Company: BJC Healthcare
Location: St. Louis, Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
33,000

BJC HealthCare said a data storage error potentially compromised 33,420 patient records when the information was accidentally made publicly available for nine months.

BJC, based in St. Louis, said in a statement that a misconfigured server was left without a security protocol in place making it possible for someone to view scanned documents containing patient's driver's licenses, insurance cards and treatment-related documents from 2003 to 2009. Other patient data that was possibly left visible included name, address, telephone number, date of birth, Social Security number, driver's license number, insurance information and treatment-related inform. The server itself was left unsecure from May 9, 2017 through January 23, 2018.

Information Source:
Media
Date Made Public:
February 16, 2018
Company: Jemison Internal Medicine, PC
Location: Jemison, Alabama
Type of breach:
HACK
Type of organization:
MED
Records Breached:
6,550

Recently, Jemison's computer system was infected by a ransomware virus that encrypted its electronic medical records system containing its patient's medical records. The ransomware demanded monetary payment from JIM in order to decrypt the files and allow the practice to regain access to them. JIM did not pay the ransom to the cyber criminals, but was instead able to restore its files and the functionality of its system through backup records. Subsequent scans of JIM's system show no further sign of the ransomware, and its investigation does not show any indication that the ransomware exfiltrated any data off its system. However, through its investigation of the incident, JIM discovered that its computer system previously had been accessed without its knowledge by unauthorized individuals not affiliated with JIM between September and December 2017. JIM is not able to confirm which, if any, files or patient information were accessed by these unauthorized individuals, but it is possible that they could have accessed JIM's electronic medical records system containing patient names, addresses, telephone numbers, Social Security numbers, dates of birth, driver's license numbers, treatment or procedure information, prescription information, and/or healthcare insurance information. Although JIM is unable to confirm that any personally identifying information or patient health information was accessed by unauthorized individuals, out of an abundance of caution and because of its commitment to data security and privacy, JIM is notifying all of its patients about the incident in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Information Source:
Security Breach Letter
Date Made Public:
February 7, 2018
Company: Nevro
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

 Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored. Nevro has no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about individual customer treatment relationships with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise customers of these equipment thefts.

What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider. Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device.

Information Source:
Security Breach Letter
Date Made Public:
February 2, 2018
Company: Ron's Pharmacy Services
Location: San Diego, California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
500

On October 3, 2017, Ron’s Pharmacy identified unusual activity in an employee email account. Ron’s Pharmacy immediately changed the employee’s credentials and commenced an investigation, with the assistance of third-party forensic investigators, to determine what happened. As part of this investigation, determined that the employee’s email account was subject to unauthorized access and certain emails were viewed as a result of the unauthorized individual(s) using software to crack the employee’s email account password. On December 21, 2017, as part of Ron’s Pharmacy’s ongoing investigation, it was determined that the following information relating was accessed:  names,  internal account numbers at Ron’s Pharmacy, prescription medication information, and payment adjustment information, which relates to credits made to accounts. Importantly, no Social Security, health insurance, or financial account information was accessed.

Information Source:
Date Made Public:
January 29, 2018
Company: Nevro
Location: Dublin, Ohio
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1

What Happened? Nevro was recently the victim of a criminal break-in at our corporate headquarters in which several laptop computers were stolen. Nearby businesses were also targeted by the same perpetrators, who stole laptops from those businesses as well. Nevro has been unable to recover the stolen laptops on which limited information relating to you has been stored.

We have no indication that these laptops were stolen in order to acquire the data on them, nor any indication that the data on the laptops has been accessed or used in any way. All the stolen Nevro laptops were password-protected, although not all were encrypted. Because limited information about your treatment relationship with Nevro was stored on one or more of the stolen laptops, and applicable state law considers this type of information sufficient to warrant a notification, we are reaching out to advise you of these equipment thefts.

 

What Information Was Involved? Limited categories of information about certain patients who use Nevro’s HF10 therapy were contained in files stored on one or more of the unencrypted laptops. The categories of information varied by file or patient, but the data fields were limited to patient name, street address, birth date, procedure date, medical device identifiers (such as serial number), and contact information for the patient’s physician or other medical provider.

Nevro does not possess, and none of these laptops contained, sensitive identifying information such as Social Security or other government-issued identification numbers or credit card or financial institution information. None of these laptops contained treatment or medical information other than the information directly related to the fact of the use of the device

Information Source:
Security Breach Letter
Date Made Public:
January 25, 2018
Company: The National Registry of Emergency Medical Technicians
Location: Columbus, Ohio
Type of breach:
HACK
Type of organization:
MED
Records Breached:
843

On 11/17/2017 The National Registry of Emergency Medical Technicians suffered a hack affecting 843 records, including first and last names, address information ,and Social Security numbers. 

Information Source:
Security Breach Letter
Date Made Public:
January 22, 2018
Company: Tx: Team Rehab, Inc.
Location: Indianapolis, Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
56

Tx:Team suffered a hack on 10/30/2017 that affected 6 records, including SS numbers as well as names and credit card or financial account information.

Information Source:
Security Breach Letter
Date Made Public:
January 12, 2018
Company: PharMerica Corporation
Location: , Maine
Type of breach:
UNKN
Type of organization:
MED
Records Breached:
135

Demographic info, medication and clinical info, health insurance info and SSN of 135 Maine Citizens breached..  Some may have had their financial account info impacted as well

Information Source:
Government Agency
Date Made Public:
January 12, 2018
Company: Onco360 and CareMed Speciality Pharmacy
Location: Louisville, Kentucky
Type of breach:
HACK
Type of organization:
MED
Records Breached:
53,173

Breach affecting 53,173 records was reported on 1/12/2018, including social security numbers, names, and credit card or financial account information. 

Information Source:
Security Breach Letter
Date Made Public:
January 12, 2018
Company: Deconess Hospital
Location: Evansville, Indiana
Type of breach:
INSD
Type of organization:
MED
Records Breached:
4

On 12/08/2017, as a result of insider wrong-doing, Deaconess Hospital suffered a breach that resulted in the exposure of 4 records including Social Security numbers.

Information Source:
Security Breach Letter
Date Made Public:
January 10, 2018
Company: St. Vincent Warrick
Location: Boonville, Indiana
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1

St. Vincent learned of an inadvertent disclosure of 1 record on 12/15 2017, including name and social security number, and notified the consumer on 1/10/2018.

 

Information Source:
Date Made Public:
January 8, 2018
Company: Penn Medicine
Location: King of Prussia, Pennsylvania
Type of breach:
PORT
Type of organization:
MED
Records Breached:
1,000

About 1,000 patients at Penn Medicine are receiving letters saying a computer with some of their personal information on it was stolen.

 

A laptop containing patient files was reported stolen from a car at the King of Prussia Mall parking lot on Nov. 30, according to a spokesperson at the University of Pennsylvania Health System. So far,  there is no indication the computer has been turned on or the patient information accessed, they stated.

Patient names, birth dates, medical records, account numbers, and some other demographic and medical information were on the computer.  There were no Social Security numbers, credit card or bank account information, patient addresses or telephone numbers stolen, according to Penn Medicine.

 

Patients with questions can contact the Penn Medicine Incident Response Line at 1-833-214-8740.

Information Source:
Media
Date Made Public:
December 28, 2017
Company: SSM Health
Location: , Missouri
Type of breach:
DISC
Type of organization:
MED
Records Breached:
29,579

Location of breached information: Electronic Medical Record

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 28, 2017
Company: Miracle-Ear, Inc. and Amplifon (USA), Inc.
Location: , Minnesota
Type of breach:
HACK
Type of organization:
MED
Records Breached:
554

Location of breached information: Email

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
December 27, 2017
Company: Longs Peak Family Practice, P.C.
Location: , Colorado
Type of breach:
HACK
Type of organization:
MED
Records Breached:
16,238

Location of breached information: Desktop Computer, Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 27, 2017
Company: Colorado Department of Human Services
Location: , Colorado
Type of breach:
HACK
Type of organization:
MED
Records Breached:
639

Location of breached information: Desktop Computer

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 26, 2017
Company: Blue Cross Blue Shield of Massachusetts
Location: , Massachusetts
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,843

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 22, 2017
Company: Kaiser Foundation Health Plan, Inc.
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
638

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 22, 2017
Company: SAY San Diego
Location: , California
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,272

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 21, 2017
Company: Molina Healthcare
Location: , Florida
Type of breach:
DISC
Type of organization:
MED
Records Breached:
1,380

Location of breached information: Other

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 20, 2017
Company: Absolute Dental Hygiene, LLC
Location: , Oregon
Type of breach:
HACK
Type of organization:
MED
Records Breached:
871

Location of breached information: Desktop Computer, Electronic Medical Record, Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 20, 2017
Company: BEE Reno Dental, LLC
Location: , Nevada
Type of breach:
HACK
Type of organization:
MED
Records Breached:
3,898

Location of breached information: Desktop Computer, Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 19, 2017
Company: MidMichigan Medical Center-Alpena
Location: , Michigan
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,900

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 19, 2017
Company: Dignity Health Medical Foundation
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
2,189

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 19, 2017
Company: Sheldon M. Golden O.D., Optometric Corporation
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
7,583

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 18, 2017
Company: Kaiser Foundation Health Plan, Inc.
Location:
Type of breach:
DISC
Type of organization:
MED
Records Breached:
0

On or about October 9, 2017, a letter containing protected health information was inadvertently mailed to another Kaiser Permanente member. The data elements disclosed included the individual's name and prescription medication.

Information Source:
California Attorney General
Date Made Public:
December 15, 2017
Company: Emory Healthcare
Location: , Georgia
Type of breach:
DISC
Type of organization:
MED
Records Breached:
24,000

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 15, 2017
Company: Chilton Medical Center
Location: , New Jersey
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
4,600

Location of breached information: Other Portable Electronic Device

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 15, 2017
Company: NYU School of Medicine - Pediatric Surgery Associates
Location: , New York
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
2,158

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 14, 2017
Company: Compassion Care Hospice Las Vegas, LLC
Location: , Nevada
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,128

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 14, 2017
Company: Memphis Pathology Laboratory d/b/a American Esoteric Laboratory
Location: , Tennessee
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
500

Location of breached information: Laptop

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 14, 2017
Company: Kaiser Foundation Health Plan, Inc.
Location: , California
Type of breach:
HACK
Type of organization:
MED
Records Breached:
4,389

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 12, 2017
Company: Midland County Hospital District d/b/a Midland Memorial Hospital
Location: , Texas
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,160

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 12, 2017
Company: Pharmacy Innovations
Location: , New York
Type of breach:
HACK
Type of organization:
MED
Records Breached:
1,205

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 9, 2017
Company: Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC)
Location: , Illinois
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
22,000

Location of breached information: Paper/Films

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
December 8, 2017
Company: Mount Carmel Health System
Location: , Ohio
Type of breach:
DISC
Type of organization:
MED
Records Breached:
836

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
CSV