PHI Compromised Because of the University of Florida Health Shands, St. John’s Well Child and Family Center and St. Paul’s PACE Breaches

University of Florida Health Shands has learned that an ex-employee has viewed the health files of 1,562 patients without valid permission.

The HIPAA violations were uncovered on April 7, 2021. The provider promptly ended the worker’s access to medical documents pending an investigation. The investigation established that the worker had been accessing patient health records without authorization between March 30, 2019 and April 6, 2021.

The following types of data may have been viewed: names, telephone numbers, addresses, dates of birth, and laboratory test results, nevertheless no Social Security numbers, financial details, or health insurance information was breached.

University of Florida Health Shands doesn’t believe any PHI was stolen or further exposed; nonetheless, as a safety measure, affected persons were given 12-months of free credit monitoring services.

Cyberattack Affects 29,000 Patients of St. John’s Well Child and Family Center

St. John’s Well Child and Family Center, Inc. based in West Sacramento, CA is informing 29,030 persons regarding a cyberattack on February 3, 2021 that led to the probable exposure of their protected health information.

When the family center found out about the attack, it took action quickly to secure its systems and hired third-party cybersecurity professionals to help with the incident investigation. The investigation proved that the attackers possibly accessed or grabbed PHI for example names, Social Security numbers, and other private or medical details.

Persons who had their Social Security number possibly exposed were given free credit monitoring and identity theft protection services for one year.

Third-Party Breach Impacts Patients of St. Paul’s PACE

Community Eldercare of San Diego, also known as St. Paul’s PACE, was impacted by a breach that happened at a provider. Health plan management firm, PeakTPA, offers billing and other management services to St. Paul’s PACE. PeakTPA encountered a cyberattack on December 31, 2020 that lead to the compromise of the information of a number of St. Paul’s PACE patients.

Though the cybercriminal group responsible for the attack wasn’t mentioned in its breach notification, PeakTPA mentioned the FBI broke up the gang on January 27, 2021 and that all stolen records in the attack were restored. The timing implies the Netwalker ransomware gang may have carried out the attack.

PeakTPA reported that the attackers might have obtained data like names, addresses, birth dates, medication data, and Social Security numbers. Impacted people got offers for 3-years complimentary credit monitoring, fraud consultation, and identity theft restoration services via Kroll. PeakTPA explained that it has put in place more security options to avoid the same breaches down the road.


Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.