Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks

The phishing attacks on healthcare organizations continue… The past few days have seen two further healthcare organizations announce that email accounts were breached when employees responded to phishing emails.

Email Account Compromised at Boys Town National Research Hospital

Boys Town National Research Hospital (Boys Town), an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, has announced that a recent phishing campaign has resulted in the email account of an employee being accessed by an unauthorized individual. The email account contained the protected health information of 105,309 patients

Boys Town first became aware of a security breach on May 23, 2018 when unusual email account activity was detected. Computer forensics experts were called in to investigate and a breach was confirmed to have occurred on May 23.

Boys Town painstakingly examined the account email-by-email to determine which patients potentially had their PHI exposed and the amount of PHI that was potentially compromised.

The breach was confirmed as being confined to a single email account, which contained sensitive information of current and former patients and employees.

The information in the email accounts varied by individual, but may have included names, dates of birth, Social Security numbers, driver’s license numbers, employer ID numbers, health insurance information, disability codes, birth certificate information, marriage certificate information, passport information, banking and other financial information, medical record numbers, usernames and passwords, Medicare/Medicaid ID numbers, diagnosis and treatment information, and billing/claims information.

No evidence of data exfiltration was uncovered, although it is possible that PHI was accessed and potentially obtained. Individuals impacted by the incident have been offered complimentary identity theft protection services for 12 months. A review of policies and procedures is being conducted and additional safeguards will be implemented to help prevent further phishing attacks.

NorthStar Anesthesia Discovers Multiple Email Accounts Accessed by Unauthorized Individuals

An email phishing campaign targeting Irving, TX-based NorthStar Anesthesia, a provider of outsourced anesthesia services, was conducted between April 3 and May 24, 2018. The phishing campaign was identified on May 23, 2018 with access to all compromised account blocked on May 24, 2018.

Third-party forensic investigators were called in to assist with the investigation and determine the extent of the attack and whether emails containing patients’ protected health information were accessed. The investigators determined that the compromised email accounts contained a range of protected health information which included names, health insurance application or claims information, birth dates, health insurance policy/subscriber numbers, taxpayer ID numbers, IRS identity protection numbers, medical histories, diagnosis and treatment information, medical record numbers, and for a limited number of individuals, Social Security numbers.

NorthStar Anesthesia is implementing additional safeguards to prevent further phishing attacks and affected individuals have been offered complimentary credit monitoring and identity restoration services for two years.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.