USA: Vail Health notifies OCR of data security incident
Vail Health notified, on 4 May 2022, the U.S. Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') of a data security incident affecting 17,039 individuals. In particular, Vail Health stated that an unauthorised third party had gained access to a restricted location in its computer network containing files of COVID-19 testing results. More specifically, Vail Health noted that the potentially affected information included full names, dates of birth, contact information, COVID-19 test results, and encounter numbers, which constitutes an internal reference used to track individuals' interactions with Vail Health. Furthermore, Vail Health highlighted that, after learning of the incident, it had conducted an investigation and further secured its systems, and added an additional layer of security to the files within the affected location in the computer network, although noting that this location already had in place access controls for limited individuals.