Email Incidents Announced by SAG-AFTRA Health Plan & East Paris Internal Medicine Associates
A phishing attack on SAG-AFTRA Health Plan has exposed plan member data East Paris Internal Medicine Associates has discovered a former employee emailed patient data to a personal email account.
Phishing Attack Exposed SAG-AFTRA Health Plan Members’ PHI
SAG-AFTRA Health Plan, a provider of health benefits to media professionals, has discovered unauthorized access to an employee’s email account. The account breach was detected on September 18, 2024, and the account was immediately secured to prevent further unauthorized access. Third-party cybersecurity consultants were engaged to investigate the breach and determined there had been unauthorized access to the account from September 17 to September 18 due to a response to a phishing email.
The account was reviewed, and on October 3, 2024, it was confirmed that the protected health information of certain health plan members had been exposed. The review of the account is ongoing, but it has been confirmed that members’ names and Social Security numbers were involved, and for some of those individuals, claims information and health plan identification numbers. SAG-AFTRA Health Plan is evaluating and enhancing its security controls and will notify the affected individuals when the file review is concluded. Individuals who had their Social Security numbers exposed will be offered complimentary credit monitoring services.
The HHS’ Office for Civil Rights breach portal indicates up to 35,592 individuals were affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
East Paris Internal Medicine Associates Discovers Insider Breach
East Paris Internal Medicine Associates, a Grand Rapids, MI-based medical group, has discovered an insider breach involving the protected health information of 5,239 patients. On or around October 4, 2024, the medical group learned that a now-former employee had sent unencrypted emails to a personal email account on three occasions on May 11, 2023, June 13, 2024, and October 2, 2024, that contained patient data, resulting in a breach of HIPAA email rules. The investigation also revealed the employee had connected a thumb drive to their work computer and downloaded a file that potentially contained patient data. The employee was asked to hand over the thumb drive but refused.
The investigation confirmed that the employee took information such as patient names, phone numbers, medical record numbers, service dates, diagnosis codes and descriptions, procedure codes and descriptions, billing provider names, service provider names, primary care provider names, health plan names, and the amount paid for the services provided. Internal controls are being reviewed and policies and procedures relating to protected health information are being reinforced with staff members.
