Breaches at Clearway Pain Solutions Institute and Questcare Medical Services Affect Patients’ PHI

Gulf Coast Pain Consultants, also known as Clearway Pain Solutions Institute, discovered that an unauthorized person accessed its EMR system.

An investigation of the breach began on February 20, 2019. It revealed that the unauthorized person accessed a variety of patient data, which included names, phone numbers, home addresses, email addresses, birth dates, Social Security numbers, health insurance details, name of referring provider, and demographic data. Clinical data contained in medical documents were not accessible and financial information was not exposed.

Clearway Pain Solutions Institute already blocked unauthorized access to the system and conducted a complete review of all EMR accounts. All user accounts’ access levels and EMR system activities were validated. After reviewing policies and procedures, the institute will also update the access of patient information as appropriate.

Clearway Pain Solutions Institute sent notifications to all affected patients and offered them free membership to Experian IdentityWorks for one year. The incident is not yet listed on the HHS’ Office for Civil Rights breach portal and so there is no clear information yet regarding the exact number of patients affected.

A phishing attack on the physician group, Questcare Medical Services in Dallas, TX resulted to the compromise of an employee’s email account on February 13, 2019. The investigators found protected health information (PHI) in the compromised account. Affected patients received breach notifications on April 12, 2019.

The people affected by the breach acquired medical services from different Questcare centers — in Dallas, Fort Worth, or Arlington, Texas. The attacker potentially accessed patient information such as, names, birth dates and some clinical data. There was no sensitive financial data or Social Security numbers exposed.

Questcare employees received further training to improve security consciousness and will also get regular reminders concerning phishing. The group installed Microsoft’s Advanced Threat Protection to enhanced its defenses against phishing attacks. There’s no report about the number of persons impacted by the breach yet.