Calif. Health Breach Leads RoundupSocial Security Numbers Posted Online
In this week's breach roundup, the California Department of Health Care Services is notifying about 14,000 in-home supportive services providers that their Social Security numbers were posted to a public site. Also, Carolinas HealthCare System is notifying 6,300 patients after an unauthorized intruder was able to access the e-mail account of a provider.
Calif. Health Dept. Notifies 14,000 of Breach
The California Department of Health Care Services is notifying about 14,000 In-Home Supportive Services providers that their Social Security numbers were posted to a public site, according to local news reports.
On November 5, DHCS posted lists of providers to a public website for business purposes, according to a letter sent to affected individuals from DHCS. IHSS is a benefit received through the state's Medicaid program, known as Medi-Cal. DHCS oversees the Medi-Cal Program.
The department received notification on November 14 that Social Security numbers were included in the lists. The lists posted online included public information, such as provider names, addresses and provider types, the notification letter notes. The lists also included National Provider Identifier numbers, which are public information, as well as Social Security numbers for those without a National Provider Identifier.
All of the lists posted were immediately removed. But a provider then contacted DHCS on November 20 explaining that they were able to find their Social Security number through a Google search, using their name and certain search criteria, according to the notification letter.
"DHCS' Information Technology staff immediately took steps to ensure that any data from the lists was removed from Google and verified the data was not present in other Internet search engines," the notification letter said.
The Social Security numbers included on the lists weren't in the standard format, so the likelihood that the SSNs would have been identified and used by an unauthorized party is not high, DHCS said.
DHCS is offering affected individuals free credit monitoring for one year.
E-mail Hack Exposes Patient Info
Carolinas HealthCare System, with hospitals in North Carolina and South Carolina, is notifying 6,300 patients that an unauthorized intruder was able to access the e-mail account of a provider.
The breach was discovered on Oct. 8 after an upgrade of the hospital's security software. The intruder obtained e-mails from the provider's account between March 11 and Oct. 8.
Five of the e-mails contained Social Security numbers, the hospital said. Other compromised information includes patient names; dates and times of service; provider and facility names; internal hospital medical record and account numbers; dates of birth; and treatment information, such as diagnosis, prognosis, medications, results and referrals.
Carolinas HealthCare System is continuing to monitor for unusual activity. It has notified the U.S. Department of Health and Human Services and the North Carolina Attorney General.
Affected individuals are being offered free credit monitoring and insurance services.
Pepperdine University Reports Stolen Laptop
Pepperdine University in Malibu, Calif., announced Dec. 7 that an unencrypted laptop belonging to a university employee that contained information about 8,300 individuals was stolen from the staff member's car, according to the university's student newspaper.
According to an e-mail sent by the university president, the laptop was used extensively in federal tax-related work, the newspaper reports. It contained data dating back to 2008 on as many as 8,300 Pepperdine campus community members.
Local law enforcement has been notified of the incident, and Pepperdine University has launched its own investigation.
Affected individuals will be notified shortly. University officials have also contacted identity theft experts to aid in the response.