Share this article on:
An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,889 patients.
The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker.
None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed.
It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that take advantage of weak passwords.
Scenic Bluffs Community Health Centers has hired an external cybersecurity firm to evaluate its systems and provide recommendations on suitable security solutions that can be deployed to further protect patient privacy and prevent future security breaches.
Breach notification letters were mailed on April 23 to patients whose PHI was potentially viewed.