◆ A law firm in Evansville, Indiana, is considering pursuing claims involving a physician who spoke with women at a bar and then allegedly looked up their medical records, the Evansville Courier & Press reported. At least six women have received an apology letter from Deaconess Health System stating that a physician accessed their medical records without purpose, Taylor Ivy, an attorney with Ladendorf Law, told the newspaper. The physician “would walk up to them, start talking to them, get their names, things like that,” Ivy was quoted as saying. “Then it seems he went to work, trying to get their medical records. One of the women [said] he showed up at her workplace in a suit, with a note that had been written for her.” One of the apology letters, dated Feb. 23, was shared on Facebook by Ladendorf Law with the recipient’s name blacked out. The letter states that the recipient’s records were accessed on eight dates from June 2020 to December 2021 “without business need,” and “we sincerely apologize for this event,” which the health system said was uncovered during a “routine audit” in January. The records accessed included both personal and medical history information. The letter, which was signed by Amanda McCarthy, a privacy officer for Deaconess Health System, included an offer for one year of complimentary use of an online identity theft product. It also stated that the Deaconess employee in question was fired following completion of the audit.
◆ A ransomware group called Hive claims to have stolen private data for 850,000 members of Partnership HealthPlan of California, a nonprofit that manages health care for Medi-Cal patients in 14 counties. Partnership notified a local community health center on March 21 that its computer systems were down. A week later, it posted on its website that it was experiencing “technical difficulties, resulting in a disruption to certain computer systems.” A computer threat analyst notified The Press Democrat that Hive posted on the dark web about stealing Partnership’s data. A screenshot of the claim, since removed from the dark web, shows that Hive claimed “the stolen data includes…850,000 unique records of name, SSN [Social Security number], date of birth, address, contact, etc.” Hive also claimed that 400 gigabytes of data were stolen from Partnership’s file server. Partnership said in a statement that it was aware of the claims and that an investigation was ongoing.