Accidental PHI Disclosures at LA Fire Department and Standard Modern Company

The Los Angeles Fire Department has found out that 4,900 workers’ COVID-19 vaccination statuses were inadvertently exposed on the internet.

A list that included the full names of employees, birth dates, employee numbers, and COVID-19 vaccination data (vaccination dates, doses, or rejected vaccine) had been posted on a site viewable to the public. When that the website was active, it was possible to go to the website and perform searches of the database for names and worker numbers. The database was not protected by passwords and no details were entered to authenticate users. When a wildcard search was conducted, a table was created that detailed the information of all 4,900 workers.

Covid.lacofdems.com is a site that was registered privately and was linked to the Emergency Medical Service’s agency of the Fire Department. The site, which was not authorized, was developed on April 29, 2021 and was deactivated on July 15, 2021. The website was reported to have been made to permit Department workers to get lost vaccination data.

Prior to the deactivation, a correspondent at the LA Times downloaded the data from the data storage. An investigation into the site owner revealed that it was hosted by a department worker and wasn’t secured using government software or infrastructure.

After knowing about the breach and exposure of vaccine status details, a number of firefighters used social media to complain about privacy violations. The firefighter’s union, Local 1014, has required a complete investigation to be done into the breach.

Error at Mailing Vendor Sees Sending Letters to Incorrect MassHealth Members

Standard Modern Company, Inc. based in New Bedford, MA has informed 2,707 patients regarding an accidental disclosure of some of their personal information.

Standard Modern Company is the provider of mailing services to the Massachusetts Executive Office of Health and Human Services. On May 24, 2021, Standard Modern Company was informed that selected MassHealth members had gotten letters that included the data of other MassHealth members. The provider stopped all mailings while the incident was looked into, with the investigation confirming an internal program error had happened that affected mailings between May 10, 2021 and May 18, 2021. The problem caused the generation of incorrect labels on a limited number of mailed notices.

In each case, a letter containing a member’s name, identification number, birth date, and last four digits of their Social Security Number, was delivered to a different MassHealth member.

Standard Modern Company has halted utilizing the internal program that prompted the error, and more safeguards were implemented to improve its mailing processes and avoid further errors.

Each of the 2,707 impacted people only had limited details disclosed to one other member, and there were no reported cases of misuse of any of the compromised details. A phone line was established for affected persons to learn more concerning the breach and have their concerns resolved, and complimentary access to Triple Bureau Credit Monitoring and cyber monitoring services was provided at no charge for 24 months.

The privacy and security law firm in Buffalo, NY Beckage PLLC helped Standard Modern Company when investigating and responding to the breach.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone