The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners

Posted By on Jan 17, 2020

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack.

The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019.

A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019.

A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed.

InterMed started mailing breach notification letters to affected patients on November 5, 2019. Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number was exposed.

Steps have now been taken to improve email security and training has been reinforced to ensure employees adhere to email security best practices.

Phishing Attack Impacts 11,308 Patients of Central Maine Orthopaedics

11,308 patients of Central Maine Orthopaedics, part of Spectrum Healthcare Partners, are being notified that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to the email account of one of its employees.

Spectrum Healthcare Partners discovered the unauthorized access on November 14, 2019 and immediately secured the affected account. The investigation revealed the account had been breached on November 5, 2019. A review of the emails and attachments in the account revealed they contained patients’ names, dates of birth, addresses, health insurance information, clinical and treatment information, and amounts owed to Central Maine Orthopaedics.

While it was confirmed that the attacker remotely accessed the account, no evidence was uncovered to suggest patient information was obtained or misused.

Affected patients were notified out of an abundance of caution on January 13, 2020 and have been advised to monitor their explanation of benefits and account statements for any sign of fraudulent use of their information.

Spectrum Healthcare Partners has strengthened its technical controls and is providing more stringent security training to employees.

4,564-Record Breach Reported by Children’s Hope Alliance

The Barium Springs, NC-based child welfare agency, Children’s Hope Alliance, has announced that a laptop computer containing sensitive information has been stolen.

According to the substitute breach notice on the Children’s Hope Alliance website, the laptop was stolen on October 7, 2019. A digital forensic firm was engaged to determine whether the laptop contained any sensitive information. The investigation is ongoing, but the initial finding show documents on the device contained information such as names, addresses, Social Security numbers, tax identification numbers, dates of birth, usernames and passwords, and medication and dosage information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 4,564 individuals have been impacted. The breach summary states that this was a hacking/IT incident involving email. It is unclear at this stage whether this is an error, a separate breach, or if the laptop was used to hack into the employee’s email account.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist