HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack

Legacy Community Health Services in Texas is alerting 228,009 patients about a data breach involving some of their protected health information (PHI). The PHI was stored in an email account that was accessed by an unauthorized individual.

The breach was detected on July 29, 2020, one day after an employee responded to a phishing email and disclosed login credentials to the attacker. The account was immediately secured and a computer forensics firm was engaged to assist with the investigation.

No evidence was found to indicate emails were viewed by the attacker or that electronic protected health information was stolen, although the possibility of data theft could not be totally discounted. The compromised email account contained patient names, dates of service, and health information related to care at Legacy, along with a limited number of Social Security numbers. Complimentary membership to a credit monitoring and identity protection service was been offered to individuals whose SSN was compromised.

Email security has been reinforced since the attack and the staff has been retrained on identifying and avoiding phishing emails.

Please see the HIPAA Journal Privacy Policy

Georgia Department of Human Services Discovers Breach of Multiple Employee Email Accounts

The email accounts of several employees of the Georgia Department of Human Services have been accessed by unauthorized individuals. The email accounts contained the personal and protected health information of parents and children who were involved in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services learned in August that the attackers potentially accessed emails containing personal and health information. The breach investigation revealed access to the email accounts was gained between May 3, 2020 and May 15, 2020.

The types of data exposed varied from individual to individual and may have included full names, names of household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.

Psychological reports, counseling notes, medical diagnoses, and substance abuse information relating to 12 individuals were also included in the compromised email accounts, along with one individual’s bank account information.

The breach report submitted to the HHS’ Office for Civil Rights shows 45,732 individuals have been affected.

VOXX International Suffers Ransomware Attack

VOXX International Corporation has confirmed it suffered a ransomware attack on July 7, 2020 in which the protected health information of members of its benefit plans was potentially compromised. Information stored in files on the affected servers included names, addresses, email addresses, dates of birth, Social Security numbers, financial account numbers, and/or health insurance information of current and former employees and their dependents and beneficiaries.

An investigation into the attack revealed the attackers had access to the servers between June 4, 2020 and July 7, 2020 and prior to the deployment of ransomware, some of the files on the servers were accessed by the attackers. The review of the files revealed they contained the PHI of 6,034 individuals.

VOXX has now implemented an endpoint threat detection and response tool and is taking other measures to enhance the security of its network. All affected individuals have been offered complimentary membership to Experian’s IdentityWorks identity theft resolution services.

Einstein Healthcare Network Suffers Phishing Attack

353,616 patients of Philadelphia, PA-based Einstein Healthcare Network are being notified that some of their protected health information has potentially been accessed by unauthorized individuals who gained access to certain employee email accounts. The email security breach was detected on August 10, 2020. The investigation revealed the attacker gained access to email accounts between August 5 and August 17, 2020.

A review of the compromised email accounts revealed they contained patients’ names, dates of birth, medical record or patient account numbers, and/or treatment or clinical information, such as diagnoses, medications, providers, types of treatment, or treatment locations. Certain patients also had their health insurance information and/or Social Security number exposed.

It was not possible to determine if any emails were accessed or copied by the attackers, but since data theft could not be ruled out, patients whose Social Security number was exposed have been offered a 1 year complimentary membership to credit monitoring and identity protection services.

Einstein Healthcare Network has re-trained employees on how to identify and avoid suspicious emails and steps have been taken to improve the security of its email environment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.