HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Artesia General Hospital Phishing Attack Impacts 13,905 Patients

Artesia General Hospital in Artesia, NM, has discovered the protected health information (PHI) of 13,905 patients has been compromised in a phishing attack.

The breach was detected when an employee’s email account was discovered to have been used to send unauthorized emails. The breach was detected on June 18, 2019 and the forensic analysis revealed the account had been accessed by an unauthorized individual between June 11 to June 18.

A leading computer forensics company was engaged to investigate the breach, but no evidence of data theft was discovered. To date, no reports have been received to suggest PHI has been stolen or misused.

The email accounts contained patients’ names, birth dates, patient account numbers, medical record numbers, health insurance information, and some treatment and/or clinical information, such as diagnoses, dates of service, and provider names. A small subset of affected patients also had Social Security numbers exposed.

The hospital has re-enforced security awareness training and additional measures are being implemented to improve email security. Patients who had their Social Security number exposed are being offered complimentary credit monitoring and identity theft protection services.

1,653 Patients of Carle Foundation Hospital Impacted by Phishing Attack

The email accounts of three physicians at Carle Foundation Hospital in Urbana, IL have been compromised in a phishing attack.

The security breach was detected on June 24, 2019 and the investigation revealed the accounts were compromised three weeks previously on June 3, 2019. Assisted by a third-party cybersecurity company, the hospital determined names, medical record numbers, birth dates, diagnoses, treatment plans, and clinical information were exposed. Affected patients had received previously received cardiology or surgery services at the hospital.

No evidence of data theft of PHI misuse was detected and notifications were sent ‘out of an abundance of caution.’  To prevent further incidents, employees are being retrained and email security is being improved.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.