HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources

Rady Children’s Hospital-San Diego, the largest children’s hospital in California, discovered a security breach on January 3, 2020 in which the protected health information of certain patients was potentially accessed by an unauthorized individual.

A computer used by the radiology department had been remotely accessed by an unauthorized individual via an open internet port. A digital forensics firm was engaged to investigate the breach and determined that the computer was compromised on June 20, 2019 and access remained possible until the port was closed on January 3, 2020.

An analysis of the compromised device revealed on February 5, 2020 that names and genders of patients were potentially compromised along with the type and date of imaging studies and, for some patients, their date of birth, medical record number, referring physician’s name, and/or a description of the imaging study. No financial information, Social Security numbers, diagnoses, or medical images were compromised. Complimentary credit monitoring services have been offered to affected patients.

Rady Children’s Hospital is working closely with the digital forensics firm to determine what additional security measures are required to prevent further cyberattacks in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Multiple Email Accounts Breached in Aveanna Healthcare Phishing Attack

Atlanta, GA-based Aveanna Healthcare, the largest provider of pediatric home care in the United States, has discovered the email accounts of several employees were compromised over the summer of 2019.

Aveanna Healthcare first identified suspicious activity in the email accounts of some of its employees on August 24, 2019. Third-party computer forensics specialists were engaged to assist with the investigation and determine the nature and extent of the attack. The investigation revealed several email accounts were compromised between July 9, 2019 and August 24, 2019. It was not possible to determine if any patient information was accessed or stolen by the attackers. The review of the compromised email accounts was completed on December 19, 2019.

The breach report submitted to the California Attorney General shows 5,004 California residents were affected. It is currently unclear how many patients in other states have also been affected. Californian patients were notified about the breach on February 14, 2020 and were offered complimentary credit monitoring and identity theft protection services for 12 months through TransUnion. Aveanna Healthcare determined that the following information of California residents was contained in the accounts: Names, Social Security numbers, driver’s license numbers, bank and financial information, State ID numbers, medical information, and health insurance information.

The HHS’ Office for Civil Rights breach portal indicates 166,077 patients were affected by the attack.

Endeavor Energy Resources Phishing Attack Impacts 5,100 Individuals

The oil and gas exploration form, Endeavor Energy Resources, has announced it has experienced a phishing attack that potentially saw unauthorized individuals gain access to the personal and health information of 5,103 current and former employees.

The attack was detected on January 14, 2020 when unusual activity was detected in the Office 365 email account of one of its employees. On February 7, 2020, Endeavour determined the compromised email account contained the names and health plan ID numbers of current and former Endeavor employees, employees of Endeavor affiliates, and dependents who also participate in the health plan.

Steps have now been taken to improve email security to prevent similar attacks in the future. At this stage of the investigation, Endeavor has found no evidence to suggest any information in the account has been misused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.