12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack

Share this article on:

Valley Professionals Community Health Center in Indiana has experienced a phishing attack that has resulted an employee’s email account being accessed by an unauthorized individual.

Phishing attacks often involve the impersonation of companies. In this case, the attacker impersonated a healthcare organization that had previously worked with Valley Professionals Community Health Center. The supposed sender of the email was known to staff at the health center and the email appeared genuine.

On November 27, 2018, Valley Professionals Community Health Center detected suspicious activity relating to the employee’s email account. Prompt action was taken to secure the account and an investigation was launched to determine the cause of the activity. Assistance was provided by a third-party computer forensics company, which determined that the account had been accessed by an unauthorized individual between October 26 and November 27, 2018.

The emails in the account contained information such as patient names, addresses, dates of birth, Social Security numbers, medical record numbers, patient ID numbers, diagnoses, procedure information, treatment information, information relating to payment for medical services, and provider information. A small number of patients also had their bank account number, routing information, and/or health insurance information exposed.

Since it was not possible to determine which, if any, emails in the account had been accessed by the attacker, the decision was taken to send notification letters to all individuals whose protected health information was contained in the account. Approximately 12,000 patients have been sent notification letters. All patients affected by the incident have been offered complimentary credit monitoring services.

The breach has prompted Valley Professionals Community Health Center to implement additional technical safeguard to prevent further successful phishing attacks and additional training and education has been provided to employees.

Sunflower State Health Plan Alerts 1,625 Members of Impermissible PHI Disclosure

Sunflower Health Plan in Kansas is alerting 1,625 plan members that some of their protected health information has been impermissibly disclosed to other individuals.

On November 26, 2018, Sunflower Health Plan mailed ID cards and Welcome Packlets to 1,625 plan members; however, an error with the mailing resulted in the letters being sent to incorrect addresses.  The letters contained patients’ full names and Medicaid ID numbers.

The error was detected on December 3, 2018 and replacement ID cards and Welcome Packlets were mailed to the correct addresses.

Sunflower Health Plan has now changed its mailing processes to prevent further mailing errors and PHI exposures. No reports of improper use of PHI have been received.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On