HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack

Valley Professionals Community Health Center in Indiana has experienced a phishing attack that has resulted an employee’s email account being accessed by an unauthorized individual.

Phishing attacks often involve the impersonation of companies. In this case, the attacker impersonated a healthcare organization that had previously worked with Valley Professionals Community Health Center. The supposed sender of the email was known to staff at the health center and the email appeared genuine.

On November 27, 2018, Valley Professionals Community Health Center detected suspicious activity relating to the employee’s email account. Prompt action was taken to secure the account and an investigation was launched to determine the cause of the activity. Assistance was provided by a third-party computer forensics company, which determined that the account had been accessed by an unauthorized individual between October 26 and November 27, 2018.

The emails in the account contained information such as patient names, addresses, dates of birth, Social Security numbers, medical record numbers, patient ID numbers, diagnoses, procedure information, treatment information, information relating to payment for medical services, and provider information. A small number of patients also had their bank account number, routing information, and/or health insurance information exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Since it was not possible to determine which, if any, emails in the account had been accessed by the attacker, the decision was taken to send notification letters to all individuals whose protected health information was contained in the account. Approximately 12,000 patients have been sent notification letters. All patients affected by the incident have been offered complimentary credit monitoring services.

The breach has prompted Valley Professionals Community Health Center to implement additional technical safeguard to prevent further successful phishing attacks and additional training and education has been provided to employees.

Sunflower State Health Plan Alerts 1,625 Members of Impermissible PHI Disclosure

Sunflower Health Plan in Kansas is alerting 1,625 plan members that some of their protected health information has been impermissibly disclosed to other individuals.

On November 26, 2018, Sunflower Health Plan mailed ID cards and Welcome Packlets to 1,625 plan members; however, an error with the mailing resulted in the letters being sent to incorrect addresses.  The letters contained patients’ full names and Medicaid ID numbers.

The error was detected on December 3, 2018 and replacement ID cards and Welcome Packlets were mailed to the correct addresses.

Sunflower Health Plan has now changed its mailing processes to prevent further mailing errors and PHI exposures. No reports of improper use of PHI have been received.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.