Share this article on:
American Medical Technologies, a Irvine, CA-based provider of wound care solutions and medical supplies, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially accessed and copied the protected health information of some of its patients.
The breach was identified on or around December 17, 2019 when suspicious activity was detected in the email account. The investigation confirmed the attacker potentially had access to protected health information such as names, medical record numbers, Social Security numbers, diagnosis information, health insurance policy numbers, subscriber numbers, medical histories, HIPAA account information, driver’s license/state identification numbers, and/or taxpayer ID numbers. No evidence was fund to suggest patient information was viewed or stolen in the attack, but unauthorized data access and data exfiltration could not be ruled out.
A comprehensive analysis of the email accounts was conducted which was completed on May 14, 2020. The review revealed the account contained the PHI of 47,767 patients, who have now been notified about the breach by mail. Affected patients have been offered complimentary credit monitoring services.
Following the breach, two independent security firms were engaged to conduct a review of email security and additional security measures have now been implemented based on their recommendations. Steps have also been taken to improve data security on the firm’s web server infrastructure.
3,663 Patients Notified About Kentuckiana Regional Planning & Development Agency Phishing Attack
Kentuckiana Regional Planning & Development Agency (KIPDA) in Louisville, KY has discovered a single email account has been accessed by an unauthorized individual. The breach was detected on February 18, 2020 when KIPDA discovered a large number of emails had been sent from the account. The account was immediately secured, and an investigation was launched to determine the nature and scope of the breach.
Assisted by a third-party digital forensics firm, KIPDA determined the email account was accessed between January 29, 2020 and February 14, 2020. The investigation confirmed on April 9, 2020 that protected health information may have been viewed or copied, but it was not possible to tell which, if any, emails in the account had been accessed.
The protected health information included in emails and email attachments was limited to names, addresses, dates of birth, diagnosis and treatment information, billing and procedure codes, and Medicaid ID number. Certain patients also had their Social Security number and/or driver’s license details exposed.
KIPDA explained in its substitute breach notice that several steps have been taken to improve security, which include increasing the frequency of password changes, the implementation of 2-factor authentication on email accounts, the use of secure data files for storing sensitive data, and updates to policies and procedures that now require email data to be regularly and securely deleted from email accounts.
Employees have also been provided with further training on procedures and cybersecurity, and the risks associated with sharing sensitive data via email have been highlighted. KIPDA is also considering restricting access to its network to individuals located within the United States.