HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cano Health Discovers 2-Year Email Account Breach

The Florida-based population health management company and healthcare provider Cano Health has discovered the email accounts of three employees have been accessed by an unauthorized individual who set up a mail forwarder on the email accounts that sent emails to external addresses.

The breach was detected on April 13, 2020, but the investigation revealed the accounts were compromised two years previously, on or around May 18, 2018. All emails sent to and from the accounts between May 18, 2018 and April 13, 2020 are believed to have been obtained and have potentially been accessed.

A review of the emails confirmed they contained personal and protected health information such as names, contact information, dates of birth, healthcare information, insurance information, social security numbers, government identification numbers and/or financial account numbers.

Cano Health is in the process of notifying affected individuals and has advised them to regularly review their accounts and benefits statements for signs of fraudulent activity. Cano Health will be providing affected patients with complimentary credit monitoring services.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Cano Health is taking steps to improve email security. “We are committed to continuously updating our information security to guard against new and emerging threats,” said Cano Health Chief Executive Officer, Dr. Marlow Hernandez-Cano.

The breach report on the HHS’ Office for Civil Rights website indicates 28,268 patients have been affected.

City of Philadelphia Phishing Attack Impacts 33,376 Patients

The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) has announced it has experienced a cyberattack that has resulted in the exposure of the protected health information of 33,376 individuals.

On March 31, 2020, suspicious activity was detected in the email account of an employee, although the breach investigation confirmed on April 2, 2020 that two email accounts had been compromised. The investigation into the phishing attack is ongoing and forensics experts are currently reviewing the email accounts, but no evidence has been found indicating patient data was accessed or exfiltrated by the attackers.

The breach affects patients with intellectual disabilities who had previously received services from the Division of Intellectual disAbility Services (IDS). The types of information compromised varied from patient to patient and may have included the following data elements: Names, dates of birth, addresses, Social Security numbers, health insurance information, account and/or medical record numbers, diagnoses, dates of service, provider names, and brief descriptions of the services the individual had applied for or were receiving from IDS. A limited number of scans of birth certificates and Social Security cards were also included in the compromised accounts.

Breach notification letters will be sent to affected individuals by mail in the coming weeks and complimentary credit monitoring services will be provided.

Several steps have been taken to prevent similar breaches from occurring in the future. Staff will be provided with further education to help them recognize phishing emails and monitoring of network activity has been increased.

Email Security Breach Experienced by MU Health Care

Columbia, MO-based MU Health Care has started notifying patients about an email security breach that was detected on September 21, 2019.

The attacker gained access to the email accounts of certain University of Missouri students affiliated with MU Health Care. The affected students had created email accounts with a third party that suffered a data breach in which email credentials were stolen. Those credentials were then used to access the students’ university email accounts between September 21 and September 26, 2019.

The breach only affected the students whose accounts were accessed. Their email accounts contained information such as names, dates of birth, Social Security numbers, and limited treatment and clinical information.

The breach highlights how important it is to use a unique password for all accounts.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.