Data Breaches at Veterans Affairs, Urology of Greater Atlanta, and Salud Family Health

Impermissible Disclosure of COVID-19 Vaccination Information of 500,000 VA Employees

The COVID-19 vaccination information of roughly 500,000 employees of the Department of Veterans Affairs was impermissibly disclosed. As per the VA, a spreadsheet that contains the names of employees and their vaccination information was put on SharePoint without setting proper access permissions. All VHA VISN directors, administrative representatives, deputy network directors, healthcare ops controllers, and central office senior leaders received an email message with a hyperlink to the spreadsheet sent from the Veterans Health Administration (VHA) Healthcare Operations Center. The spreadsheet additionally provided information of stated religious and medical exemptions to COVID-19 vaccination.

VA’s Data Breach Response Service conducted an internal investigation, which concluded the impermissible disclosure of information. The spreadsheet is already deleted from SharePoint. The VA stated that the risk of misuse of that data is low.

Approximately 80,000 Urology of Greater Atlanta Patients were Notified About Data Breach in August 2021

Last October 2022, Urology of Greater Atlanta in Georgia submitted a data breach report to the HHS’ Office for Civil Rights indicating that 79,795 patients were affected. At the time, the exact nature of the data breach was not clear. Urology of Greater Atlanta has today stated that it was due to a cyberattack that was discovered on August 29, 2021. Based on the substitute breach notice lately posted on the website of the Urology of Greater Atlanta, the forensic investigation confirmed that an unauthorized third party got access to its system sometime from August 8 to August 29, 2021.

Upon discovery of the breach, third-party forensics specialists investigated the incident and secured its system. Based on the investigation results, the attackers did not access the health records database as well as billing/practice management system; nonetheless, files that included protected health information (PHI) were possibly viewed or obtained. The exposed information may include names, addresses, dates of birth, ages, patient account numbers, date(s) of service, diagnoses and treatment details, medical backgrounds, and related data seen in medical charts. In certain instances, Social Security numbers, financial account data, or driver’s license numbers were likewise compromised.

Urology of Greater Atlanta stated it is working closely with third-party security specialists to increase the protection of its systems. Extra safety measures have been implemented, such as changing a number of components and adjusting remote access practices. It is now sending notification letters and offering free identity theft protection services. Urology of Greater Atlanta mentioned that it did not find any evidence of patient information misuse. Urology of Greater Atlanta didn’t say why sending the notifications took 15 months.

80,000 Individuals Affected by Salud Family Health Data Breach

Salud Family Health based in Fort Lupton, CO, Federally Qualified Health Center (FQHC), which operates 13 clinics in Colorado, lately reported unauthorized third-party access to its system. The attack was discovered on September 5, 2022, and third-party computer experts investigated the nature and extent of the attack.

The investigation confirmed the potential access or theft of files that contain patient and employee data. The analysis of those files showed they included data for example names, driver’s license numbers, Social Security numbers, government-issued ID numbers, financial data, medical details, and medical insurance details. Salud Family Health stated that affected employees and patients were given free identity fraud protection and credit monitoring services.

The breach is not yet posted on the HHS’ Office for Civil Rights breach website, however, based on the notification submitted to the Texas Attorney General, there were around 80,621 persons affected.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone