Western Connecticut Health Network is sending breach notification letters to patients whose protected health information (PHI) may have been exposed in a postal incidence.
On June 11, 2019, Western Connecticut Health Network (WCHN), now known as Nuvance Health, sent a box containing medical records to the Connecticut State Department of Public Health using the U.S. Postal Service (USPS). On June 21, WCHN was notified that the box had been damaged in transit and had broken open, thereby exposing the enclosed medical records. Some of the contents of the box were also reported as damaged.
WCHN retrieved the records from USPS on July 9. According to a statement made by the health network, there was “no indication that the box of medical records ever left USPS custody” before its safe retrieval.
The statement continued: “WCHN has no evidence that any information that was in the damaged box has been misused. However, out of an abundance of caution, WCHN began mailing notification letters to potentially affected patients on Aug. 19, and has established a dedicated incident response line to answer any questions.”
WCHN has now changed its procedures for sending protected health information to prevent a similar exposure of PHI from occurring again in the future.
An investigation into the types of information included in the records concluded that the PHI limited to names, addresses, dates of birth, provider names, medical record numbers, diagnosis dates, diagnoses, and medical test results.
Due to the controlled nature of the incidence, the risk of identity fraud to affected individuals is low.
The network advises patients who believe they may be affected by the incident but did not receive a letter by Aug. 30 to call the toll-free number advertised on their website as soon as possible.
The media often overlook ‘paper’ data breaches such as this in favour of reporting on cybersecurity incidents, but the severity of such breaches should not be underestimated. The number of patients affected by this incident is unknown, and it is likely to be smaller than the number potentially affected by a phishing incident, the potential negative consequences to the victims are no less significant. This mailing incidence highlights to organisations that although they should be investing in the cybersecurity framework of their organisations, the physical security of PHI documents should not be neglected, whether at rest or in transit.