Arizona Veterans’ Healthcare Facility Exposed Staff to Potentially Fatal Conditions and Other Data Breaches Reported

The investigation of an Arizona Department of Veteran Affairs (VA) healthcare facility showed that workers were put at risk because they were exposed to potentially fatal hazards on steam lines. Workers were permitted to do work on the steam lines without making sure the necessary safety protocols are in place.

Government agencies like the VA must comply with the safety and health requirements just like private industry employers that are under the Occupational Safety and Health (OSH) Act. They need to make sure that employees do their work tasks safely and do not face grave danger due to hazards. Government safety inspectors went to the VA’s Prescott facility, managed by the Northern Arizona Veterans Affairs Health Care System last October 2022. They confirmed that the facility do not have energy-isolating procedures called lockout/tagout, which blocks the release of dangerous energy while maintaining and servicing the steam lines. It was discovered that employees used ad-hoc methods that are not compliant with Occupational Safety and Health Administration (OSHA) requirements. The inspectors additionally found out that the facility did not train workers on necessary safety protocols, therefore exposing them to likely fatal conditions.

This is not the first VA facility that failed to make sure correct procedures were done when at the steam lines. Two years ago, an accident ended in tragedy at a Veterans Affairs Healthcare System facility based in West Haven, CT. Two workers died after having fatal burns while working on steam lines. The same problems on safety procedures were discovered by OSHA inspectors.

OSHA inspectors learned there was one conscious violation and two recurring violations of health and safety procedures at the Prescott facility. Three serious notices had been issued for exposing workers to burns and possibly fatal injuries. Government law demands from all public or private employers to have a safe workplace.

Management at all Veterans Affairs facilities must evaluate their employee safety and health plans to make sure they follow industry and OSHA standards for separating hazardous energy to avoid tragedy, according to OSHA Area Director T. Zachary Barnett.

The VA is giving private companies 15 days from the time notices had been received to comply, ask for a meeting with the OSHA area director, or make an appeal. They may be warranted to pay $315,875 in financial penalties for the violations.

Medtronic Warns InPen App Users Regarding Disclosures of Personal Information to Google

The medical device maker Medtronic recently announced the disclosure of the personal data of users of its InPen Diabetes Management App on Android and iOS to Google as a result of adding the tracking and authentication code in the InPen App. The application used Google Analytics for Firebase, Crashlytics for Firebase, and Firebase Authentication. These tools shared some data concerning app users to Google, particularly when users were signed into their Google accounts while using the InPen App. Therefore, their identities and data regarding online activities were disclosed to Google.

Medtronic Diabetes used the tools to get data regarding app usage, determine technical problems, evaluate app performance, and know user needs to give care to clients and enhance services. Medtronic Diabetes stated the information obtained by these tools was consolidated. It was revealed that some data were transferred to Google while users were signed into their Google accounts.

Medtronic Diabetes launched an internal investigation to know what information was potentially disclosed to Google as a result of using these tracking technologies. All users with registered InPen account from September 2020 will be notified about the breach as they are potentially affected. The data shared with Google depends on user activities with the app, as well as other factors like the browser, the cookies if cleared, and whether signed into Google while using the app.

According to Medtronic Diabetes, the disclosed data possibly included: IP address, email address, telephone number, InPen App user name and password, timestamp data associated with certain InPen App events, and the following unique identifiers related to the InPen account or mobile gadget:

  • unique Medtronic Diabetes user identifier
  • unique numbers generated each time the InPen App is downloaded to a certain device
  • Identifiers linked to a mobile gadget like MAID, IDFA, IDFV and/or AAID.

Medtronic Diabetes mentioned that it already removed Google Analytics from the newest InPen app version, and there are plans to shift from Crashlytics and Firebase Authentication to other reporting and validation programs.

Email Breach at La Clínica de La Raza

La Clínica de La Raza located in Oakland, CA reported a breach of the protected health information (PHI) of 15,316 persons. It discovered suspicious activity in some email accounts of employees on February 8, 2023, but it already took steps to protect the accounts. A third-party computer forensics company helped to confirm that unauthorized individuals accessed some employee email accounts at different times from January 24, 2023 to February 8, 2023.

The analysis of all impacted email accounts revealed on April 4, 2023 the inclusion of patient data such as names, addresses, birth dates, Social Security numbers, financial account or payment card details, online credentials, health treatment data, and/or medical insurance data.

La Clinica will notify affected individuals by mail and will provide free identity protection and credit monitoring services o individuals who had their Social Security numbers compromised.

Data Breach at Walnut Creek Medical Center

John Muir Health sent notifications to some Walnut Creek Medical Center patients about the exposure and potential access to some of their PHI by unauthorized persons. The Californian healthcare company was informed about the data breach on March 22, 2023.

A staff member at the medical center built a website to communicate with other staff more effectively concerning the use of medical devices as well as important information like order forms, vendor sites, and equipment data. There was a link posted on the website to an Excel spreadsheet with patient data. The spreadsheet was supposed to be accessible internally only to authorized persons; but those outside of John Muir Health could access it also. The spreadsheet included data like names, dates, facility, room, diagnosis, and conditions.

John Muir Health stated the Excel file link is no longer active on March 23, 2023, and the website was deactivated on March 24, 2023. According to the investigation, unauthorized third party did not access the spreadsheet from September 28, 2022, to March 23, 2023. However, because of restricted audit records, it cannot be determined whether there unauthorized access from July 1, 2021 to September 27, 2022. John Muir Health notified the affected individuals by mail and reported the incident to the California Attorney General. The data breach report is not yet posted on the HHS’ Office for Civil Rights breach website, therefore, the actual number of impacted persons is currently unknown.