HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Covenant Care Email Account Breach Impacts 7,858 Patients

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients.

On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29.

A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information.

The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number, diagnoses, provider(s) name, treatment location(s), Medicare covered days, Medicare billing amounts, admission and re-admission dates, dates of service, discharge dates, and information related to medical equipment, home health services, outpatient services, and hospice services.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

At the time of issuing notifications, no evidence had been uncovered to suggest any patient information was accessed, stolen, or misused; however, out of an abundance of caution, patients were notified and have been offered 12 months of credit monitoring and identity theft restoration services at no charge. Notifications started to be sent on March 6, 2019.

Covenant Care reports that strict security safeguards had been implemented prior to the breach and that further controls will be put in place to increase email security. All technical, administrative, and physical safeguards are being reviewed to identify any further areas where improvements can be made, and employees will be provided with further training on email security and security awareness in general.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.