PHI of 6,000 People Potentially Exposed Due to Breaches at Bloodworks Northwest and American Medical Response

Breach at Bloodworks Northwest

1,893 patients received notifications from Bloodworks Northwest in Seattle, WA, a blood bank and medical research institute, regarding their PHI exposure and potential theft.

On March 13, 2019, Bloodworks Northwest found out about a missing patient list on an employee’s desk. The information contained in the list included the patients’ names, medical diagnoses and birth dates. A comprehensive search for the list did not result in recovery of the list.

Bloodworks webpage posted a Notice of Data Privacy Event, which stated there was no data received about the improper use of any personal data contained in the impacted email account, however, patients are cautioned to remain vigilant against incidences of identity theft and fraud, to always check company account statements, and to keep monitoring credit reports for suspicious activities.

The notice seems to be erroneous, otherwise there was perhaps an email account compromised also. The Bloodworks Northwest breach report sent to the HHS’ Office for Civil Rights only mentioned loss of paperwork as the reason for the breach.

Breach at American Medical Response

An unauthorized person accessed the protected health information (PHI) of 4,300 patients of American Medical Response, an emergency and patient relocation service provider based in Greenwood Village, CO, after a successful phishing attack. The patients affected by the breach were those who benefited from its ambulance service before.

The compromised data that the employee email accounts contained were the following: names, birth dates, addresses, Social Security numbers, health insurance identifiers, diagnostic and treatment information. No other systems or databases were affected by the breach – only the email accounts.

Though it is possible that the patients’ PHI was accessed, no report can verify the misuse of any patient data.

American Medical Response already sent breach notification via mai to all patients and offered them credit monitoring services for free. The provider also implemented additional security controls to reduce the risk of similar email account breaches. Training for employees were conducted to emphasize the importance of security awareness.