Breach Guilty Plea Leads RoundupSouth Carolina Case Involved Medicaid Information
In this week's breach roundup, a former South Carolina state employee has pleaded guilty to five charges after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account. Also, Saint Louis University in Missouri is notifying 3,000 individuals that their protected health information may have been compromised as a result of a phishing scam.
See Also: The Global State of Online Digital Trust
Guilty Plea in South Carolina Case
A former South Carolina Department of Health and Human Services employee has pleaded guilty to five charges after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account.
On Oct. 8, Christopher Lykes, Jr. pleaded guilty to four counts of willful examination of private records by a public official, public member or public employee, and one count of criminal conspiracy, according to the South Carolina attorney general.
The information inappropriately transferred included names, phone numbers, addresses, birth dates and Medicaid ID numbers [see: Arrest in S.C. Medicaid Info Breach].
For almost 23,000 of the affected patients, Medicare numbers, which contain Social Security numbers, also were transferred. No private medical records or financial information were involved, authorities said.
A second defendant in the breach case, Toshia Yvette Latimer-Addison, was indicted in February for one count of criminal conspiracy, an announcement from the S.C. attorney general said.
Lykes' sentencing has been deferred because the second case is ongoing. He faces up to five years in prison, a $5,000 fine per count, or both.
Phishing Scam Impacts Health Info
Saint Louis University in Missouri is notifying 3,000 individuals that their protected health information may have been compromised as a result of a phishing scam.
The university learned on Aug. 8 that certain employees provided account information in response to a sophisticated phishing e-mail scam on July 25, according to a notice posted on the school's website.
As a result of the incident, about 10 employees had their direct deposit information changed by scammers, yet no unauthorized financial transactions occurred, according to the notice.
The phishing scam also resulted in unauthorized access to about 20 e-mail accounts that contained personal health information on about 3,000 individuals, the university says. Those included patients treated by physicians in the university's medical group as well as those who were treated or reviewed by SLU physicians at facilities owned by the Tenet Healthcare Corp. or SSM Health Care, the university says.
Compromised information includes diagnoses, procedures and medical chart information, the university says. Additionally, the names and Social Security numbers of about 200 people were also included in the e-mail accounts.
The university says its electronic health record system wasn't accessed by the unknown party.
Affected individuals are being offered a year's worth of free credit monitoring and identity theft protection services. SLU also launched a dedicated website providing further information about the incident and an FAQ.
Judge Orders Hospital Records Destroyed
A bankruptcy judge has approved the destruction of old medical records stored in a building that was formerly the site of Edgewater Medical Center in Chicago.
After an investigation by the Chicago Tribune found that Social Security numbers and other sensitive patient information was vulnerable, a custodian at the former hospital sought court approval to destroy the records, according to the newspaper.
When the Illinois Department of Public Health conducted an investigation in 2009, it found that the door to a room on the eighth floor of the facility that housed the medical records did not have a lock and medical files were scattered throughout the building [see: Medical Records Found at Closed Hospital].
A notice announcing the destruction of the records will be posted in local newspapers, the Tribune reports.
Laptop Stolen from Hospital Employee
The University of California San Francisco Medical Center is notifying 3,500 patients that certain information may have been compromised following the theft of an unencrypted laptop from an employee's locked car.
UCSF learned on Sept. 10 that the laptop was stolen the previous day, according to a statement issued on the medical center's website. The employee worked in the division of transplantation.
Upon learning of the theft, the employee alerted San Francisco police, UCSF police and UCSF officials, the medical center said.
Potentially compromised information includes names and medical record numbers. Social Security numbers were also involved for a small number of individuals, UCSF said.
Paper documents for 31 patients were also stolen from the car. Those included patient names, dates of birth, medical record numbers and some health information, the medical center said.