Catawba Valley Medical Center Phishing Attack Impacts 20,000 Patients

On August 13, 2018, Catawba Valley Medical Center (CVMC) in Hickory, NC discovered an unauthorised individual accessed the email account of a CVMC employee. Upon discovery of the email breach, steps were taken to secure the account and prevent further access and a third-party computer forensics firm was called in to assist with the investigation and determine the extent of the breach.

That investigation revealed that between July 4 and August 17, 2018, three employees’ email accounts had been compromised after the employees responded to phishing emails. Some of the emails in those accounts contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers.

No evidence was found to suggest that any emails had been accessed or copied and no information has been received to suggest patient health information has been misused in any way.

The phishing incidents have prompted CVMC to hire security experts to enhance employee education, more robust email security controls have been implemented, and CVMC will continue to upgrade hardware and software as appropriate to repel malicious threats.

All patients whose protected health information may have been compromised as a result of the email account breaches were notified by mail on October 12, 2018.

The breach summary on the HHS’ Office for Civil Rights’ breach portal indicates up to 20,000 patients have potentially been affected by the email account breaches.

Byram Healthcare Alerts Patients to Insider Breach

Byram Healthcare, a provider of medical supplies, has been informed by law enforcement that a former employee has been accused of stealing the credit card information of patients.

Byram Healthcare investigated the incident and determined that the employee had access to personal information including names, addresses, dates of birth, limited health information, and credit card numbers, but not Social Security numbers. It is unclear at this stage how many patients have been affected.

Byram Healthcare has responded to the breach by providing further training to staff on privacy and security obligations and safeguarding patients’ protected health information. Monitoring of staff has also been increased.  Affected patients were notified by mail of the privacy violation and possible theft of PHI on October 22, 2018.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.