The Iowa Veterans Home announced Friday that it is beginning to notify 2,969 people of a data breach that may have exposed their medical and financial information.
According to a release from the IVH, Google and the state of Iowa were targeted with multiple phishing email campaigns in February and three IVH employees provided their credentials, which gave the hacker access to email accounts.
Officials with the IVH said there is no evidence that the hacker accessed the three employee email accounts before access was blocked, but they are notifying residents, former residents and applicants out of an “overabundance of caution.”
The IVH said information that may have been accessed includes names, mailing addresses, phone numbers, medical information and Social Security numbers.
The IVH has a toll-free telephone number, 1-800-645-4591, for questions. Anyone who is concerned that personal information may be used by another person can request free credit reports at https://www.annualcreditreport.com or 1-877-322-8228.
Anyone who suspects their identity has been stolen is advised to contact local law enforcement or the Attorney General’s Consumer Protection Division at 515-281-5926, or toll-free at 1-888-777-4590.
Saint Joseph’s Healthcare System in New Jersey recently announced that more than 5,000 employees at some of its facilities may be at the risk of identity theft following aphishing scam that potentially compromised their information.
Facilities in Paterson, Wayne and Cedar Grove locations were affected, according to St. Joseph’s Vice President of External Affairs Kenneth Morris Jr. Patient data and medical information were not affected, but employees’ names, social-security numbers and employee earnings for 2015 and 2016 were potentially accessed. However, dates of birth, home addresses, and banking information were not affected.
Morristold The Record that there was no indication that the phishing scam was an internal crime, and that it was an “extremely sophisticated” scam. He added that the scam included a named company executive using an internal email.
“There was no intrusion or breach of our internal IT system,” he explained to the news source. “None of that data was compromised.”
Affected employees will be receiving free credit monitoring. Local and federal authorities have also been notified, as well as the system’s insurance carrier, according to Morris.
“Our primary focus is really protecting our employees and their credit health,” he said. “In addition, we’re putting the proper protocols in place so that this doesn’t happen again.”
Other recent potential data breaches included improperly disposed devices and mis-mailings.
Potential data breach at Iowa pharmacy
A Des Moines, Iowa-based pharmacy is warning some customers of a potential data breach after an external hard drive was “inadvertently” disposed of on November 5, 2015.
The Medicap Pharmacy hard drive reportedly contained personal information that the organization believed to have been encrypted,according to The Des Moines Register. However, Medicap said it learned on December 3 that some of the data may not have been encrypted.
Customers who filled prescriptions at the Des Moines pharmacy between June 2014 and Nov. 3, 2015, may have had some information exposed. This data included names, addresses, dates of birth, telephone numbers, prescriber information, names of medications, costs, insurance information and Social Security numbers.
Medicap told the news source that there is no indication that the information was obtained, accessed, or misused. Even so, the pharmacy urged individuals who suspect they may have been the victim of identity theft to contact local law enforcement or the state attorney general’s office.
Borgess Rheumatology in Michigan recently reported that 700 patients may have been contacted by mistake through mailings, potentially exposing a limited amount of information to the wrong individuals.
Letters were reportedly mailed to patients on December 9, 2015,according to a WWMT report, and Borgess learned of the incident on December 10. While Social Security numbers were not included in the information mailed out, patient names and the fact that they visit Borgess were included.
Once Borgess found out what happened, it immediately began to contact patients.
“Borgess takes patient confidentiality very seriously and we deeply regret that this has occurred,” Borgess Corporate Responsibility Officer & HIPAA Privacy Officer Susan McDonald said in a statement. “We are doing everything we can to notify patients who were impacted by this mistake.”
Borgess added that it is taking “aggressive steps” to ensure this type of incident does not happen again. While it was not specified exactly how the mis-mailings took place, the organization said that it was also re-educating and training staff on necessary safeguards. Borgess policies and procedures will also be reviewed.
Sign up to receive our newsletter and access our resources