Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack
Roper St. Francis Healthcare has notified 189,761 patients that some of their protected health information was contained in employee email accounts that were accessed by an unauthorized individual. The email security breach was detected in late October 2020, and the subsequent investigation revealed three email accounts were compromised between October 14 and October 29, 2020.
A review off the email accounts was conducted to determine the information that was potentially accessed. It was not possible to tell if patient information was viewed or exfiltrated, although the attacker would have been able to access names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information. The email accounts also contained the health insurance information and Social Security numbers of a limited number of patients.
Roper St. Francis Healthcare has offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security number was potentially compromised. Steps have been taken to improve email security and employees have been provided with further training on email protection.
Einstein Healthcare Network Sends Additional Notifications About August 2020 Email Security Incident
Einstein Healthcare Network is notifying patients about a phishing attack that was discovered in the summer of 2020. The Pennsylvania-based healthcare provider, which operates medical centers in Philadelphia, Elkins Park, and East Norriton, identified unusual email account activity on August 10, 2020. The incident was investigated and it was determined that multiple employee email accounts had been accessed by an unauthorized individual between August 5, 2020 and August 17, 2020.
A review of the compromised email accounts was conducted to determine whether they contained any patient information. The review revealed emails and attachments contained the following types of patient data: Names, dates of birth, medical record numbers, patient account numbers, diagnoses, medications, provider names, types of treatment, and treatment locations. The types of information in the accounts varied from patient to patient, which for some patients also included Social Security numbers and health insurance information.
It was not possible to determine whether the unauthorized individual viewed or exfiltrated patient data while access to the email accounts was possible. Einstein Healthcare Network sent out a batch of breach notification letters to individuals potentially affected by the incident starting on October 9,2020. The breach was reported to the HHS’ Office for Civil Rights the same day. The OCR breach portal lists the incident as affecting 1,821 patients.
According to Einstein Healthcare Network’s substitute breach notice, “We continued our investigation, which concluded on November 16, 2020, and additional letters are mailing between January 21, 2021 and February 8, 2021.”
Email Incident Report by New York Center for Alternative Sentencing and Employment Services
The Center for Alternative Sentencing and Employment Services (CASES) in New York has discovered the email accounts of certain employees have been compromised. Hackers had access to the email accounts between July 6 and October 4, 2020.
An investigation of the breach revealed the hackers exfiltrated emails from the accounts that included patient data. For most patients, the stolen information was limited to name, date of birth, medical record/client ID number, and some clinical information related to the care provided by CASES. Some clients also had their Social Security number, driver’s license number, and/or health insurance information stolen. Those individuals have been offered complimentary credit monitoring and identity theft protection services.
Steps have since been taken to improve email security and the workforce has received further security awareness training.