Here are the nine ASCs and outpatient facilities that experienced data breaches in 2018:
1. On Jan. 8, an unauthorized third party accessed 134,512 patient records at Albany, N.Y.-based St. Peter's Surgery & Endoscopy Center. Malware potentially compromised a server containing personal patient information, but there was no evidence patient information was accessed. The ASC sent notifications to potentially affected patients Feb. 28.
2. Silver Spring, Md.-based Capital Digestive Care notified HHS of a data breach Feb. 23. A third-party vendor for the center stored files on a commercial cloud server with inadequate security, according to the gastroenterology group. The reportedly insufficient security exposed 17,639 patient records. Social Security numbers and financial information were not compromised.
3. On Feb. 26, Baton Rouge, La.-based Eye Care Surgery Center discovered the theft of a laptop that potentially stored patient information. The ASC has since installed a multi-camera security system and launched an investigation into the incident. The surgery center alerted 2,553 patients their information might have been compromised and notified HHS about the breach April 27.
4. In April, Charlotte, N.C.-based Carolina Digestive Health Associates notified patients a former employee stole about 100 patients' personal data, including Social Security numbers and birthdays, and shared the information with fraud suspects. HHS' Office for Civil Rights data breach reporting portal shows 10,988 records were potentially impacted.
5. Holland (Mich.) Eye Surgery and Laser Center notified patients May 18 about a hacking incident that occurred in 2016. The hacker accessed a list with patient names, addresses, birthdays, demographic information, health insurance information and Social Security numbers. The OCR portal shows 42,200 patients were affected.
6. Sioux City, Iowa-based Jones Eye Clinic was the victim of a cyberattack that compromised thousands of patients' data. The eye clinic's employees discovered a ransomware attack on their computer system Aug. 23. The clinic was able to restore much of the stolen information using a backup and did not pay for the return of the stolen data. As a result of the attack, which exposed 40,000 patients' information, the clinic hired a forensic computer investigator to examine what happened. After conducting the investigation, the clinic found the ransomware was loaded Aug. 22 and attackers had access to patient information but not the group's EMR data.
7. The Fullerton, Calif.-based National Ambulatory Hernia Institute experienced a ransomware attack that affected 15,974 patients Sept. 13. The National Ambulatory Hernia Institute advised affected patients to use identity monitoring services for a year. The institute transferred the data to an off-site server and added controls to prevent additional attacks.
8. Vancouver-based Southwest Washington Regional Surgery Center informed 2,393 patients Nov. 6 about an email phishing attack that compromised their protected health information. The phishing attack affected one employee's email inbox between May 27 and Aug. 13, according to a notice on the center's website. The incident doesn't affect all SWRSC patients. To minimize the risk of a similar incident, SWRSC has updated passwords and enhanced email access protocols.
9. Georgia Spine and Orthopaedics of Atlanta discovered an unauthorized person gained access to an employee's email account through a phishing scam, and the incident was reported to HHS Nov. 16. The scammer compromised one mailbox July 11 after an employee opened a malicious link or document in an email that appeared legitimate. The account contained patient names and other common medical information. A small number of emails contained Social Security numbers and driver's license numbers. The scammer likely retained a copy of certain emails. In total, 7,012 individuals were affected.