HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach

An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,889 patients.

The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker.

None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed.

It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that take advantage of weak passwords.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Scenic Bluffs Community Health Centers has hired an external cybersecurity firm to evaluate its systems and provide recommendations on suitable security solutions that can be deployed to further protect patient privacy and prevent future security breaches.

Breach notification letters were mailed on April 23 to patients whose PHI was potentially viewed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.