Annie Vuong, a former receptionist at a New York-based dental office, was given 2-6 years in state prison for stealing personal identifying information, such as names, dates of birth, addresses, and Social Security numbers, from more than 650 patients, Manhattan District Attorney Cyrus R. Vance announced April 10.

Vuong and her codefendants, Devin Bazile, Joshua Haughton, and Ahmeen Evans, then allegedly used the stolen identities to make more than $700,000 in Apple product purchases.

A New York State Supreme Court jury found Vuong guilty of 189 counts, including grand larceny and identity theft.

“Annie Vuong exploited her access to confidential patient information to commit large-scale identity theft against hundreds of unsuspecting victims, as a jury found in this 189-count conviction,” said Vance. “Her role as the source of stolen information set this entire scheme into motion, enabling her codefendants to rack up more than $700,000 in fraudulent purchases.”


A registration employee at West Kendall Baptist Hospital in Miami, Florida, stole patient credit card information to make personal purchases, Baptist Health announced April 10.

Baptist Health said it discovered the breach on March 9 and immediately reported the incident to the Miami-Dade Police Department.

Patients who made credit card payments at West Kendall Baptist Hospital between August 2014 and March 2018 may have been affected. Data that was stolen includes names, addresses, and credit card numbers.

Baptist Health is providing free identity protection and credit monitoring services for one year to affected individuals.


Two unencrypted hard drives with protected health information (PHI) on 2,100 patients of Chesapeake Regional Healthcare were lost at its sleep center in Chesapeake, Virginia, the healthcare provider announced April 6.

The breach impacted patients who received treatment at the sleep center between April 2015 and February 2018, when the breach was discovered.

The drives contained patient names, dates of birth, unique medical record numbers, demographic information, medications, and procedure details.

Chesapeake Regional Healthcare is offering affected patients free credit monitoring and identity theft protection services for one year.


The Wisconsin Department of Health Services and The Management Group (TMG) announced April 4 that a laptop and work bag of a TMG IRIS consultant was stolen in February.

The laptop may have contained personal information, including names, addresses, dates of births, participation in IRIS services, Medicaid numbers, financial information, and Social Security numbers, on 779 participants in IRIS, a Medicaid program for adults with long-term care needs. The announcement said that the Social Security numbers of 23 IRIS participants was confirmed to be on the laptop.

While the data on the laptop was encrypted, the password to access the laptop was in the work bag, the announcement said.

TMG, which is a business associate of the Department of Health Services and serves as an IRIS consultant agency, is offering potential victims free identity theft protection services for one year.

Chicago-based Integrated Rehab Consultants is just now admitting to a healthcare data breach that it knew about back in 2016. 

In December 2016, IRC received a tip from a healthcare researcher about patient data posted on a public repository. After conducting a probe, IRC determined that a third-party vendor had provided the patient data to another third-party vendor who uploaded the data to the repository. It worked with the vendor to remove the data from public exposure. 

The patient data exposed to the public included names, addresses, admission dates, treatment locations, IDs, and diagnosis and procedure codes.

Apparently, IRC did not disclose the data breach to HHS or affected patients at the time.

A year later, IRC said it became aware that the data on the repository may have been accessed by other parties besides the researcher. Yet it still appears to have done nothing.

The breach is not listed on the Office of Civil Rights’ Breach Portal either as under active investigation or resolved.

IRC appears to have notified affected patients recently and is only now offering them free credit monitoring and identity restoration services. IRC could not be reached for comment on the reason for the data breach notification delay.