11,000 Patients Affected in 2 BreachesIncidents Involve Exposed Server, Stolen Computer
Diatherix which provides clinical laboratory testing services, is notifying 7,000 patients that their protected health information may have been accessible via the Internet for nearly three years because of a breach at a business associate.
And in another newly reported healthcare breach incident, Temple University in Philadelphia says an unencrypted desktop computer containing information about nearly 4,000 patients was stolen from an office at Temple University Physicians' surgery department.
Diatherix reports that on July 10, it discovered that Diamond Computing Company, a contractor providing it with billing-related services, had a security lapse that made one of its servers accessible via the Internet.
The server became exposed on Sept. 24, 2011, Diatherix says. It was first accessed without authorization on Oct. 16, 2011, though no PHI was viewed at that time. Diatherix's investigation indicates that documents containing PHI were first inappropriately viewed on March 7, 2014. Diamond Computing Company terminated access to the server on July 10.
Information stored on the server included billing-related documents, such as health insurance claim forms and billing and payment-related letters, Diatherix says. Exposed information included patient name, account number, address, date of test, insurance information and guarantor/insured information. Some of the documents also included Social Security numbers, dates of birth, diagnosis codes and the type of test ordered for the patient.
Diatherix has hired a data security firm to assist with an investigation of the incident. The company is offering affected individuals one year of free identity theft protection services.
In the Temple University breach incident, the stolen computer contained information, including full name, age, procedure type and billing code, for 3,780 patients. In some cases, the name of the referring physician and/or medical record number were also included, Temple University says in a statement provided to Information Security Media Group.
Once the theft was discovered, Temple notified local law enforcement authorities, conducted an investigation and notified all affected patients.
Temple is offering impacted patients free identity theft services for one year. As a result of the incident, Temple has taken measures that include developing a mechanism to increase physical surveillance and adding additional security measures for desktop computers.