Data Breaches at California Department of State Hospitals and Mendelson Kornblum Orthopedic and Spine Specialists

The Department of State Hospitals (DSH) in California has found out a worker got access to the protected health information (PHI) of 1,415 current/former patients and 617 workers without consent.

The staff had an Information Technology position and received access to data servers having sensitive patient and staff information so as to do work responsibilities. DSH discovered the improper access on February 25, 2021 while doing a routine annual analysis of access to data folders.

DHS immediately launched an investigation and discovered that the worker was accessing data without permission for about 10 months. Files with names, COVID-19 test data, and other health information required for tracking COVID-19 were duplicated directly from the server. The privacy breach investigation is ongoing and the staff went on administrative leave while awaiting the finalization of the investigation. Up to now, the investigation has not found any proof that suggest the misuse of the copied information or its disclosure to any other individual.

DSH stated that there were safeguards in place to determine unauthorized PHI access, however since the actions of the worker appear to be valid access, the unauthorized access was not detected when it occurred and was just identified through the yearly review.

It seems like the staff utilized the access they received to perform their regular job tasks to go straight to the server, duplicate files that contain the names of present and past patients, and employees, COVID-19 test results, and related medical data with no obvious connection to their job responsibilities, showing a high possibility of unauthorized access, mentioned by DSH in its data breach FAQs. It is unclear at this time whether this was an intentional breach.

DHS has since taken steps to avoid similar occurrences in the future, such as altering policies and procedures, limiting access to servers comprising PHI, and enhancing logging and assessments of data activity. DHS also improved the automatic detection of files that contain PHI when being copied to non-standard locations.

Mendelson Kornblum Orthopedic and Spine Specialists Identifies 28,658 Patients’ PHI in Vulnerable Server

Mendelson Kornblum Orthopedic and Spine Specialists lately reported the compromise of 28,658 patients’ PHI, which unauthorized persons may have accessed.

On January 5, 2021, the practice found out that one of its servers was vulnerable to accessing by unauthorized third parties. The server consisted of data like names of patients, medical record numbers, birth dates, gender of patients, and data relating to medical photos, for instance, image number,
the date/time the photo was taken, and the label of the body part in the image.

No medical images were accessible, nor very sensitive data like Social Security numbers, medical insurance details, diagnosis/treatment data, or financial data.

Although third party access to the server could have been possible, there was no evidence found during the investigation that confirm the misuse of patient information. Steps were taken to avoid the same occurrences down the road.