Breaches at Medical Oncology Hematology Consultants and Health Net of California Reported

An email security breach at Medical Oncology Hematology Consultants (MOHC), which is a cancer treatment center based in Newark, DE, resulted to the exposure of some patients’ protected health information (PHI). The substitute breach notice posted on the MOHC web page stated that the email account compromise occurred from June 7 to June 8, 2018. There is no mention about the date when MOHC discovered the breach. However, the extensive investigation, which ended on March 14, 2019, confirmed the exposure of patient data as a result of the breach.

Third party computer forensics professionals conducted the investigation with considerable coordination with the provider hosting its email environment. Although there was no reports received suggesting the misuse of any patient information, data access and theft cannot be dismissed.

The exposed information included names, birth dates, government ID numbers, Social Security numbers, financial account data, and medical data. MOHC already notified all patients impacted by the breach and provided a year credit monitoring membership and associated services for free.

MOHC has implemented steps to strengthen email security such as using a more secure site for receiving emails coming from outside sources, more malware blocking options, a suspicious email logging system and encryption of sent emails. Employees also received further training on security awareness. Controls have likewise been installed to notify employees when sending emails that have unencrypted sensitive data.

This is the second report by MOHC regarding a large data breach in the last two years. The first was in September 2017 when a ransomware attack on MOHC affected 19,000 patients. The number of patients affected by this latest breach is still unknown.

Health Net of California found out that because of a coding error on a mailing, subscribers’ PHI was impermissibly disclosed. During a mail merge, the coding error happened causing the letters to be misaligned. Because of this, the subscribers’ PHI was printed on letters mailed to other subscribers. The coding error happened on March 1 and impacted mailings up to March 12, 2019.

Due to the error, there was impermissible disclosure of the following data elements: Name, birth date, Health Net ID number, group number, health plan name, names of dependents and their ages, name and address of primary care physician, and the last four digits of the social security numbers of dependents.

Health Net of California already identified and fixed the coding error. Extra safety procedures were implemented for future mailings, such as a few testing scenarios and using a checklist to find errors and correct them before mailing the letters.

The number of subscribers affected by the mailing error is still unknown at this time.