HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack

Metrocare Services, the largest provider of mental health services in North Texas, has suffered a phishing attack that has resulted in the exposure of 1,804 patients’ protected health information.

Several employee email accounts were compromised in the attack, with the first account breach occurring on August 2, 2018. Metrocare did not discover the phishing attacks until September 4.

As soon as the breach was discovered, steps were taken to secure the accounts. Metrocare has also given its employees additional training on information security, additional measures are being introduced to improve the security of its information technology infrastructure, and email security has been strengthened.

The investigation into the breach could not determine whether any emails containing patients’ protected health information were accessed by the attackers, but data access could not be ruled out. No reports have been received that suggest any PHI has been misused.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The types of information that were exposed differed from patient to patient and included data such as names, dates of birth, driver’s license numbers, health insurance information, information relating to services received from Metrocare, and in some cases, Social Security numbers.

Metrocare started notifying affected patients by mail on November 1. Patients whose Social Security numbers were potentially compromised have been offered 12 months of complimentary credit monitoring and identity protection services. All patients impacted by the breach have been advised to check their Explanation of Benefits statements for healthcare services that have not been received or authorized.

Summit Medical Group Notifies Patients of Potential PHI Exposure

Summit Medical Group is notifying certain patients that some of their protected health information has potentially been compromised.

The information was recorded in a notebook that was maintained by a medical assistant in its Berkeley Heights dermatology office. On September 5, 2018, Summit Medical Group’s management and privacy office was informed that the notebook was missing.

The New Jersey physician-owned multispecialty medical practice conducted a search for the missing notebook but it couldn’t be located. Employees were interviewed and footage from security cameras was checked. According to Summit Medical Group, the notebook was only ever used in the dermatology office and no evidence of theft was discovered.

The notebook contained written notes on patients seen by the medical assistant since January 12, 2018. The types of information recorded in the notebook varied for each patient and included names, addresses, dates of birth, telephone numbers, health insurance numbers, Medicare IDs, and treatment information.

Since the notebook may have been stolen, patients have been advised to monitor their account and explanation of benefits statements and remain vigilant for incidents of identity theft and fraud.

The breach report submitted to the HHS’ Office for Civil Rights indicates 525 patients’ PHI was recorded in the notebook.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.