2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack

Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information.

The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25.

The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised.

Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers.

The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018.

Patients impacted by the breach were sent breach notification letters on November 6, 2018 and have been offered complimentary credit monitoring and identity theft restoration services for 12 months. Information has also been provided on the steps that should take to reduce the risk of identity theft and fraud.

The breach has prompted Southwest Washington Regional Surgery Center to enhance its email access protocols to prevent further successful phishing attacks, passwords were reset, and its password policy updated.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.