Ashtabula, OH (WorkersCompensation.com) – A data breach at an Ohio hospital that occurred on January was not discovered until March, according to the facility. On April 28th, Ashtabula County Medical Center (ACMC) sent out notification to 3,683 patients of the breach discovered March 12th. In an effort to comply with new government regulations requiring pricing transparency of hospitals, the facility posted a spreadsheet on its website.
On March 12th, ACMC said it discovered that the spreadsheet contained personal health information such as patients’ names, diagnoses, health, and medical historories. ACMC initiated an investigation and believes no information was misused as a result of the accident. The facility has implemented new additional measures to deter a reoccurrence, and has offered free credit monitoring to the impacted patients.
According to the breach portal from the U.S. Department of Health and Human Services, since April 1st there have been 43 data breaches reported and under investigation, impacting a total of 528,844 patient records. Hacking/IT incidents accounted for 21 reports, and unauthorized access or disclosures totaled 19. Breaches via email accounted for half of the incidents reported at 21.
One incident that is not listed on the HHS breach list is an email phishing attempt that occurred on April 6th at managed care company Magellan Health. On April 6th the company was the victim of an email ransomware attack when a Magellan client was impersonated. On April 11th, the company discovered the event and hired cybersecurity forensics company Mandiant to investigate. Their investigation determined the attacker gained access to certain data on the corporate server and attempted to steal login information from a limited number of users. The investigators do not believe that there was misuse of patient information.
In 2009, the Health Breach Notification Rule was adopted requiring HIPAA-covered entities to notify patients and the Federal Trade Commission (FTC) within 60 days of a discovery of a data breach. If more than 500 patient records are involved, the requirement to notify the FTC is reduced to 10 days. On May 8th, the FTC opened up a request on the Federal Register for comment to get input on the rule. The FTC is inviting input on the timing requirements of the rule, potential issues raised with the use of mobile apps, and whether adjustments need to be made for the COVID-19 crisis. Comments will be accepted for 90 days and can be submitted on the government website.