Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists
The Foleck Center in Virginia and Mountain Dermatology Specialists in Colorado have discovered unauthorized access to employee email accounts and the exposure of patient data.
The Foleck Center Discovers Forwarding Rule on Employee Email Account
The Foleck Center, a provider of cosmetic, implant, and general dentistry services in Norfolk, Hampton, and Virginia Beach, has recently notified 6,965 patients that some of their protected health information has been acquired by an unauthorized individual.
On October 26, 2023, The Foleck Center was made aware that one of its employees had a forwarding rule on their email account that sent emails to a Gmail account. The Foleck Center contacted its managed IT service provider, which performed a forensic investigation. Rather than this being a HIPAA violation by the employee, the forensic investigation revealed that an unauthorized third party had gained access to the email account and set up the forwarding rule on September 4, 2023.
Copies of all emails sent to the employee’s account between September 4, 2023, and October 31, 2023, were forwarded to the Gmail account. The Gmail account had not been sent up by the employee or anyone else at The Foleck Center. The IT company secured the account and implemented additional safeguards to prevent mailbox rules from being set up for external forwarding.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While it was possible to tell which emails had been forwarded between September 4, 2023, and October 31, 2023, it was not possible to determine if any other emails in the account had been read or copied. All emails were reviewed to check which patient data had been exposed or stolen, and all individuals whose PHI was present in the account were notified. The information exposed varied from individual to individual and may have included names, addresses, dates of birth, employer name and address, dates and office locations of treatment/appointments, employer name and address, our patient and system ID numbers, and insurance information. A limited number of patients also had their Social Security numbers and/or driver’s licenses exposed.
The Foleck Center said it already provides HIPAA and security awareness training for employees several times a year, and additional training is now being provided to improve password and network security further.
Email Account Breach Reported by Mountain Dermatology Specialists
Mountain Dermatology Specialists in Edwards and Dillion, CO, has also recently reported an email account breach that was detected on October 26, 2023. An unauthorized individual gained access to the email account of one of its employees and used the account to send phishing emails to contacts within the mailbox.
The forensic investigation confirmed there had been unauthorized access to the email account between October 24, 2023, and October 26, 2023. A review of the emails in the account confirmed that the protected health information of 2,705 patients was exposed, including full names, addresses, dates of birth, phone numbers, email addresses, dates of treatment, types of treatment, conditions/diagnoses, medications, health insurance information, and cost/billing information/amount paid. A limited number of individuals also had their Social Security numbers and/or compensation/benefits information exposed.
Mountain Dermatology Specialists said it has implemented additional technical safeguards, performed password resets, and reinforced security awareness training for the workforce.
