30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks

Share this article on:

Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients.

The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility.

The compromised accounts contained a wide range of sensitive information including names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, credit card information, financial account information, employer identification number, username with password or associated security questions, email address with password or associated security questions, date of service, provider name, medical record number, patient number, medical information, diagnostic or treatment information, surgical information, medications, and/or health insurance information.

Notifications have been sent to affected patients and steps have been taken to improve security to prevent future data breaches. The HHS’ Office for Civil Rights breach portal indicates 11,650 individuals were affected.

19,000 Patients Affected by Phishing Attack on Houston Health Clinic

The Houston, TX federally qualified health center, Legacy Community Health, is notifying approximately 19,000 patients that some of their protected health information may have been accessed by an unauthorized individual who gained access to the email account of one of its employees.

On April 10, 2020, an employee responded to an email believing it to be a legitimate request and disclosed credentials that allowed their email account to be accessed. The breach was discovered on April 16, 2020 and the email account was immediately secured.

Assisted by a third-party computer forensics firm, Legacy Community Health confirmed the breach was limited to one email account which was found to contain patient names, dates of service, and health information related to the care provided at its clinics.

The investigation into the breach is ongoing and notifications will soon be sent to all individuals whose information has been exposed. At this stage, no evidence has been found to suggest any patient information was obtained or misused.

Legacy Community Health is taking steps to improve email security and has enabled multi-factor authentication on its email accounts. Further training has also been provided to staff to help them identify and avoid phishing emails.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On