Covenant Care Email Account Breach Impacts 7,858 Patients

Share this article on:

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients.

On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29.

A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information.

The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number, diagnoses, provider(s) name, treatment location(s), Medicare covered days, Medicare billing amounts, admission and re-admission dates, dates of service, discharge dates, and information related to medical equipment, home health services, outpatient services, and hospice services.

At the time of issuing notifications, no evidence had been uncovered to suggest any patient information was accessed, stolen, or misused; however, out of an abundance of caution, patients were notified and have been offered 12 months of credit monitoring and identity theft restoration services at no charge. Notifications started to be sent on March 6, 2019.

Covenant Care reports that strict security safeguards had been implemented prior to the breach and that further controls will be put in place to increase email security. All technical, administrative, and physical safeguards are being reviewed to identify any further areas where improvements can be made, and employees will be provided with further training on email security and security awareness in general.

Author: HIPAA Journal

Share This Post On