Saint Joseph’s Healthcare System in New Jersey recently announced that more than 5,000 employees at some of its facilities may be at the risk of identity theft following a phishing scam that potentially compromised their information.
Facilities in Paterson, Wayne and Cedar Grove locations were affected, according to St. Joseph’s Vice President of External Affairs Kenneth Morris Jr. Patient data and medical information were not affected, but employees’ names, social-security numbers and employee earnings for 2015 and 2016 were potentially accessed. However, dates of birth, home addresses, and banking information were not affected.
Morris told The Record that there was no indication that the phishing scam was an internal crime, and that it was an “extremely sophisticated” scam. He added that the scam included a named company executive using an internal email.
“There was no intrusion or breach of our internal IT system,” he explained to the news source. “None of that data was compromised.”
Affected employees will be receiving free credit monitoring. Local and federal authorities have also been notified, as well as the system’s insurance carrier, according to Morris.
“Our primary focus is really protecting our employees and their credit health,” he said. “In addition, we’re putting the proper protocols in place so that this doesn’t happen again.”
Other recent potential data breaches included improperly disposed devices and mis-mailings.
Potential data breach at Iowa pharmacy
A Des Moines, Iowa-based pharmacy is warning some customers of a potential data breach after an external hard drive was “inadvertently” disposed of on November 5, 2015.
The Medicap Pharmacy hard drive reportedly contained personal information that the organization believed to have been encrypted, according to The Des Moines Register. However, Medicap said it learned on December 3 that some of the data may not have been encrypted.
Customers who filled prescriptions at the Des Moines pharmacy between June 2014 and Nov. 3, 2015, may have had some information exposed. This data included names, addresses, dates of birth, telephone numbers, prescriber information, names of medications, costs, insurance information and Social Security numbers.
Medicap told the news source that there is no indication that the information was obtained, accessed, or misused. Even so, the pharmacy urged individuals who suspect they may have been the victim of identity theft to contact local law enforcement or the state attorney general’s office.
According to the OCR data breach reporting tool, the incident affected 2,300 individuals.
Michigan rheumatology facility mis-mailing affects 700 individuals
Borgess Rheumatology in Michigan recently reported that 700 patients may have been contacted by mistake through mailings, potentially exposing a limited amount of information to the wrong individuals.
Letters were reportedly mailed to patients on December 9, 2015, according to a WWMT report, and Borgess learned of the incident on December 10. While Social Security numbers were not included in the information mailed out, patient names and the fact that they visit Borgess were included.
Once Borgess found out what happened, it immediately began to contact patients.
“Borgess takes patient confidentiality very seriously and we deeply regret that this has occurred,” Borgess Corporate Responsibility Officer & HIPAA Privacy Officer Susan McDonald said in a statement. “We are doing everything we can to notify patients who were impacted by this mistake.”
Borgess added that it is taking “aggressive steps” to ensure this type of incident does not happen again. While it was not specified exactly how the mis-mailings took place, the organization said that it was also re-educating and training staff on necessary safeguards. Borgess policies and procedures will also be reviewed.
Sign up to receive our newsletter and access our resources