HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Community Memorial Health System Phishing Attack Reported

The protected health information of almost 1,000 patients has potentially been accessed as a result of a recent Community Memorial Health System phishing attack.

On June 22, 2017, a Community Memorial Health System employee responded to a phishing email and divulged his/her login credentials, allowing an unauthorized individual to gain access to a single email account. The employee realized the mistake the following day and reported the breach to the IT department, which launched an investigation to determine whether any patient information could have been accessed.

The email account was discovered to contain a selection of protected health information including patients’ names, medical record numbers, dates of services, and a limited amount of health information. The Social Security numbers of some patients were also potentially compromised. No bank account information or credit/debit card numbers were exposed.

The discovery of protected health information in the email account prompted Community Memorial Health System to bring in a computer forensics expert to determine whether any emails had been accessed and whether PHI had been stolen.

While the possibility of PHI access could not be ruled out, the consultant concluded the probability of PHI being accessed was low. However, out of an abundance of caution, Community Memorial Health System is offering 24 months of credit monitoring and identity theft protection services to all 959 patients impacted by the breach. All patients affected by the breach have now been notified by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The phishing attack has prompted Community Memorial Health System to provide its employees with further training to reduce the likelihood of further successful phishing attacks occurring.

This is one of several phishing attacks to be reported by healthcare organizations in the past few weeks. Covered entities can improve their defenses against phishing attacks by implementing an advanced spam filtering solution and conducting phishing awareness training. Research from PhishMe, a provider of a phishing training and simulation platform, suggests phishing simulation exercises can reduce susceptibility to phishing attacks by up to 95%.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.