HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

4 More U.S. Healthcare Providers Discover Email Account Breaches

Alameda Health System (AHS), an Alameda, CA-based provider of emergency, inpatient, outpatient, and wellness services in the East Bay area, has discovered an unauthorized individual temporarily gained access to the email account of an employee.

AHS learned that the account was accessed for a brief period on April 8, 2020. The breach was discovered by AHS on June 17, 2020.

Assisted by a leading forensic security firm, AHS determined that the following types of information were potentially compromised: names, dates of birth, medical record numbers, appointment dates, limited medical information, health insurance information, Social Security numbers and driver’s license numbers.

AHS and the forensic investigators found no evidence to suggest any information was stolen or misused for the purpose of committing identity theft or fraud, but as a precaution, individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring and identity theft protection services.

Please see the HIPAA Journal Privacy Policy

The breach report submitted to the HHS’ Office for Civil Rights shows 2,691 individuals were affected by the breach.

EyeMed Vision Care Suffers Email Account Breach

Ohio-based EyeMed Vision Care LLC, a vision benefits company, has discovered an unauthorized individual has gained access to a corporate email mailbox and used it to send phishing emails to individuals in the address book. The breach was discovered on July 1, 2020 and the account was immediately secured.

An investigation into the breach confirmed access to the email account was gained on June 24, 2020. A review of the email account revealed it contained the electronic protected health information of individuals who currently or have previously received vision benefits through EyeMed. Information in the email account included names, addresses, dates of birth, phone numbers, email addresses, and vision insurance account/identification numbers and, for a limited number of individuals, diagnoses and eye conditions, treatment information, and full or partial Social Security numbers.

It was not possible to determine whether any of the information was viewed or obtained during the time the account was accessible, but no reports have been received to suggest any information has been misused. Affected individuals have been offered a 2-year complimentary membership to credit monitoring and identity protection services.

EyeMed has since provided additional security awareness training to the workforce and has implemented further security measures for authorized access to its network.

Century Specialty Script Alerts Customers about Email Security Breach

The New York specialty pharmacy, Century Specialty Script, LLC, has discovered the Office 365 account of one of its employees has been accessed by an unauthorized individual. The breach was detected on or around July 28, 2020 and the account was immediately secured.

A forensic investigation firm was retained to investigate the breach and confirmed that the attacker only gained access to a single Office 365 account, and the breach was limited to the Office 365 environment. As a precaution, the passwords for all Office 365 accounts were changed.

The email account was found to contain the following data elements: names, dates of birth, address, contact information, prescription information, and insurance information. The forensic investigation firm was unable to determine if any information in the account was obtained by the attacker

Century Specialty Script has since taken steps to strengthen email security to prevent similar breaches in the future.

Stark Summit Ambulance Suffers Multi-Email Account Breach

Stark Summit Ambulance, a provider of emergency and non-emergency medical transportation services in Northeast and Central Ohio, identified suspicious activity in an email account on May 28, 2020. While investigating the breach over the following two months it was discovered that several more email accounts had been compromised.

An analysis of the compromised accounts revealed 6 contained electronic protected health information which may have been viewed or obtained by the individual(s) behind the attack.

The information in the accounts varied from individual to individual and may have included patients names along with one or more of the following data types: Social Security number, driver’s license number, state ID number, passport number, medical diagnosis, medical treatment information, treatment type, treatment location, clinical information, mental or physical condition, health care provider/doctor name, date of service, medical history information, health insurance information, Medicare/Medicaid number, other health care payment/cost information, prescription information, checking or savings account, credit or debit card number, or personal identification code.

3,700 patients were affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.