15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate

Northwood Inc., a Madison Heights, MI-based HIPAA business associate, has announced that a hacker has gained access to the email account of one of its employees and potentially viewed or obtained sensitive patient information.

The breach was discovered on May 6, 2019 while investigating suspicious activity related to an employee’s email account. When a breach was confirmed, a leading computer forensics expert was hired to assist with the investigation and determine the nature and full extent of the attack.

The forensic investigation revealed the employee’s email account was accessed by an unauthorized individual(s) from May 3 to May 6. No evidence was found to suggest any emails had been viewed or copied, but data access and data theft could not be ruled out.

All emails and email attachments in the account had to be checked to determine whether they contained any patient information. On June 19, Northwood determined patients’ protected health information had been exposed and may have included a patient’s name along with one or more of the following data elements: Address, date of birth, provider name, dates of service, medical record number, patient ID number, diagnosis and diagnosis codes, medical device description, treatment information, and health plan membership number. A small subset of patients also had their Social Security number, driver’s license number, and health insurance provider name exposed.

Affected patients had received durable medical devices from Northwood or had their devices managed by the company. The compromised email account also contained information relating to healthcare providers and their exclusion status with the CMS.

When the breach was discovered, Northwood disabled the compromised account and, as a precaution, performed a password reset on all employee email accounts. Further training has been provided to employees to help them identify email threats and email security has been strengthened. All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

Northwood has reported the breach to the Department of Health and Human Services’ Office for Civil Rights. The breach has been reported as four separate incidents, affecting 583, 3881, 5563, and 5000 patients – 15,027 patients in total.

Palisades Eye Surgery Center Breach Impacts Almost 2,700 Patients

Rockville Eye Surgery Center LLC dba Palisades Eye Surgery Center has experienced a cyberattack in which the protected health information of 2,696 patients was exposed.

The patient information was stored in an email account that was accessed by a hacker. The breach was reported to OCR on July 17, 2019. No further information about the breach has been released so it is currently unclear what types of information were exposed and the nature of the attack.

This is the second cyberattack to be experienced by the eye surgery center in the past 18 months. On January 23, 2018, the PHI of 10 prospective patients was subjected to unauthorized access.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.