HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

6 HIPAA-Regulated Entities Report Email Account Breaches and the Exposure of PHI

6 data breaches have recently been reported by HIPAA-regulated entities that have collectively resulted in the exposure and potential theft of the protected health information of tens of thousands of individuals.

La Casa de Salud, New York

The Acacia Network, a New York City-based human services organization, has recently notified the HHS’ Office for Civil Rights about an email account breach that was detected on July 17, 2020. According to the breach notice on the Acacia Network website, email accounts were accessed for a limited time between June 6, 2020, and June 12, 2020. An investigation was immediately launched and a forensic firm was engaged to provide assistance, but it was not possible to determine if any emails or attachments had been viewed or copied.

A review of the emails in the account revealed they contained patients’ names, Social Security numbers, driver’s license numbers, addresses, birthdates financial account numbers, medical record numbers, resident identification numbers, health insurance information, Medicare numbers, provider names, treatment, prescription, and/or diagnostic information.

The Acacia Network said the email accounts contained the data of a percentage of clients in the following programs:

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Bronx Accountable Healthcare Network
  • Bronx Addiction Services Integrated Concepts System, Inc.
  • Community Association of Progressive Dominicans
  • El Regreso, Inc
  • Greenhope Services for Women, Inc
  • La Casa De Salud, Inc
  • Promesa, Inc.
  • United Bronx Parents, Inc.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 9,969 patients and was reported under the name La Casa De Salud. It is currently unclear if that is the total number of individuals affected. Notification letters were mailed on February 22, 2022, and complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number or driver’s license number was exposed. No explanation was given as to why it took more than 18 months to notify the affected individuals.

Valley View Hospital, Colorado

Valley View Hospital in Colorado has recently announced that the email accounts of four employees have been accessed by unauthorized individuals after the employees responded to phishing emails. The email account breaches were detected by the hospital on January 19, 2022. The email accounts were immediately secured, and a forensic security firm was engaged to investigate and determine the nature and scope of the breach. On March 29, 2022, it was determined that four email accounts had been compromised that contained information about approximately 21,000 hospital employees and patients. Valley View Hospital did not state in its substitute breach notice what types of information had been compromised.

Notification letters started to be sent to affected individuals on March 19, 2022.

Fairfield County Implants and Periodontics, Connecticut

Fairfield County Implants and Periodontics (FCIP) in Connecticut has recently confirmed that an email account was accessed by an unauthorized individual. FCIP said it was determined on March 2, 2022, that the breached email account contained the protected health information of certain patients, with the review confirming the following types of information had been exposed: Names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and medical history and treatment information.

Notification letters were sent to affected individuals on April 15, 2022. FCIP said no evidence of actual or attempted misuse of patient data had been identified at the time of issuing notification letters. Affected individuals have been offered 24 months of credit and CyberScan monitoring at no cost.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 10,502 individuals.

Los Angeles County Department of Mental Health, California

Los Angeles County Department of Mental Health has recently confirmed there has been a breach of three employee email accounts. The accounts were compromised on October 19, 2021, as a result of employees responding to phishing emails. A forensic investigation was unable to determine if any sensitive information was viewed or exfiltrated, but the possibility of unauthorized data access could not be ruled out.

A review of the affected email accounts revealed they contained the following types of information: names, addresses, dates of birth, driver’s license numbers, Social Security numbers, medical and/or health information, health insurance information, SSID student identifiers, and/or financial account numbers. When the breach was discovered, prompt action was taken to secure the accounts and all network credentials were reset. Additional safeguards have now been implemented.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,129 individuals.

Scott County, Iowa

Scott County in Iowa has recently confirmed it was the victim of a cyberattack that was discovered on November 30, 2021. The email account of an employee was discovered to have been used to send unauthorized emails to internal and external email addresses. The subsequent forensic investigation confirmed that the email accounts of three employees had been compromised and accessed by an unauthorized individual on October 27, 2021.

A review was conducted of all messages in the email accounts. That process was completed on February 22, 2022, when it was confirmed that the email accounts contained the sensitive information of clients, employees of Scott County, and other individuals who received healthcare treatment or services facilitated by Scott County. The email accounts contained information such as names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and financial account information. At this stage, no evidence of actual or attempted misuse of sensitive data has been identified.

The HHS’ Office for Civil Rights breach portal shows 1,583 individuals were affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.