HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

3 Email Security Incidents Reported Affecting More Than 111,000 Patients

Email account breaches have been reported by Montrose Regional Health, EPIC Pharmacy Network, and Acacia Network, and North Shore University Hospital has reported an incident involving a former employee accessing protected health information without authorization.

Montrose Regional Health

The Colorado-based health system Montrose Regional Health has recently started notifying 52,632 patients that some of their protected health information has been exposed when unauthorized individuals gained access to employee email accounts. Suspicious activity was detected in an employee’s email account prompting an immediate investigation. Assisted by a third-party cybersecurity company, Montrose Regional Health discovered multiple employee email accounts had been accessed by unauthorized individuals between August 2, 2021, and October 26, 2021.

A review of the emails and attachments was conducted and it was confirmed on February 25, 2022, that the accounts contained names along with one or more of the following data types: inpatient/outpatient status, internal patient account number, service date, treatment cost, procedure code, provider name, and/or health insurance provider. Montrose Regional Health said it found no evidence of misuse of any of the information stored in the email accounts.

Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts

Acacia Network has recently disclosed a data breach that happened more than 18 months ago and affected 30,220 individuals who received services through the Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts. According to a February 22, 2022, breach notice, Acacia detected a breach of its email environment on July 17, 2020, with the subsequent internal and forensic investigation confirming email accounts were accessed by unauthorized individuals between June 6, 2020, and June 12, 2020.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It was not possible to determine if the unauthorized individuals viewed or obtained any information in the accounts; however, it is possible the following types of information may have been compromised: names, Social Security numbers, driver’s license numbers, addresses, birth dates, financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription, and/or diagnostic information.

Acacia said it is offering complimentary credit monitoring and identity protection services to individuals who had either a Social Security number or driver’s license number exposed. It is unclear why it took so long for breach notifications to be issued.

EPIC Pharmacy Network

Mechanicsville, VA-based EPIC Pharmacy Network has recently disclosed a breach of its email environment. EPIC said two employee email accounts were accessed by unauthorized individuals, with the forensic investigation and document review concluding on December 22, 2021.

The forensic investigation confirmed the two email accounts were both accessed by unauthorized individuals on August 19, 2021. The accounts contained names, dates of birth, and medical diagnosis/treatment information, including but potentially not limited to prescription information, as well as medical identification number(s) and/or health insurance plan information.

EPIC said it found no evidence that any information in the accounts was acquired or has been misused. Following the breach, EPIC worked with its information technology managed services providers to implement additional security measures to protect against any further email attacks.

Notification letters were sent to the 28,776 affected individuals on February 8, 2022, and complimentary credit monitoring services have been offered to certain individuals.

North Shore University Hospital

North Shore University Hospital (NSUH) in Manhasset, NY has recently started notifying 7,614 patients that some of their protected health information has been accessed by a former employee without authorization.

It is unclear when unauthorized access was detected. NSUH said it was determined on April 11, 2019, that unauthorized access had occurred between October 2009 and February 2019. The employee was initially suspended while the breach was investigated and was later terminated over the unauthorized access. The incident was reported to law enforcement which requested a delay in issuing notification letters so as not to interfere with the investigation. NSUH said it is unaware of any misuse of patient data and the hospital does not believe any charges were filed against the former employee in relation to the unauthorized access.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.