Email Account Breaches Reported by 5 HIPAA-Regulated Entities
Email is the second most common location for breached healthcare information behind network servers. Over the past few days, five HIPAA-regulated entities have reported breaches of HIPAA email rules and the exposure of patient data.
Hafetz and Associates, New Jersey
Hafetz and Associates, a Linwood, NJ-based independent insurance agency, has confirmed that employee email accounts were compromised in a recent phishing attack. Immediate action was taken on October 12, 2024, to secure its email accounts when unauthorized activity was detected, and an investigation was launched to determine the extent of the security breach.
Hafetz and Associates confirmed that several employee email accounts had been accessed by an unauthorized third party at various points between July 24, 2023, and October 12, 2023. The review of the accounts confirmed that they contained information such as names, dates of birth, Social Security numbers, and/or benefits election information. The data analysis involved checking all emails and attachments in the affected accounts, identifying exposed protected health information, determining the relationship with each affected individual, and from whom that data had been obtained. The process took until July 18, 2024, to complete. The affected employers and insurance carriers were notified about the incident on August 6, 2024, and individual notifications have now been mailed to the affected individuals.
The breach was recently reported to the HHS’ Office for Civil Rights as involving the protected health information of 26,474 individuals. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months. Hafetz and Associates said it had email security solutions in place, including multifactor authentication, but those controls were bypassed. Additional security measures have now been implemented and further training has been provided to employees on how to identify and avoid suspicious emails.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
MiCare Health Center, Montana
MiCare Health Center, a Billings, MT-based provider of medical care to employer-managed health plans in five U.S. states, has recently notified the California Attorney General about unauthorized access to employee email accounts. The breach was detected on May 22, 2024, and an enterprise-wide password reset was performed to prevent further unauthorized access to the email system.
The forensic investigation confirmed that there had been unauthorized access to emails and email attachments at various times between April 19, 2024, and May 25, 2024. While no evidence was found to indicate any emails or attachments had been downloaded, the possibility of unauthorized viewing and theft of sensitive data could not be ruled out. The review of the affected accounts was completed on September 12, 2024, and confirmed that the emails and attachments contained information such as names, dates of birth, medical information, health insurance information, and Social Security numbers. Not all affected individuals had all of those data elements exposed.
MiCare Health Center said it has implemented additional security measures to better protect its email system and is reviewing its policies and procedures and will update them accordingly to mitigate any recurrence of this type of event. The affected individuals started to be notified on October 11, 2024, and identity monitoring services have been offered free of charge. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Texas Spine Consultants
Texas Spine Consultants, the operator of orthopedic centers in Addison and Plano in Texas, has discovered a breach of an employee’s email account. Suspicious activity was detected in the account on or around May 13, 2024, and the account was immediately secured. Assisted by third-party cybersecurity experts, the activity was investigated and it was confirmed there had been unauthorized access to the account.
The review confirmed on September 5, 2024, that the account contained patient data such as names, dates of birth, medical information, and health insurance information. No Social Security numbers, driver’s license numbers, financial account information, or credit or debit card information were exposed. Since then, patients’ contact information has been verified and individual notifications have been mailed to the affected individuals.
While only one email account was compromised, all employee email accounts had a password reset, and security measures – including multifactor authentication – have been enhanced. To prevent any misuse of the affected data, complimentary credit monitoring and identity theft protection services have been offered to the 8,048 affected individuals for 12 months.
Seven Counties Services, Kentucky
Seven Counties Services, a provider of addiction treatment, mental health, and developmental services in Kentucky, is investigating a breach of its email environment. Employee email accounts were first compromised on July 9, 2024, following responses to phishing emails. The phishing emails appeared to have been sent from a trusted source, and employees were tricked into disclosing their account credentials.
Unauthorized access was detected by the IT department on August 12, 2024, and the accounts were immediately secured. The accounts were used for internal communication and some of the emails included demographic, financial, and clinical protected health information that was shared internally on a need-to-know basis for essential business operations. Several reports in the email accounts included information such as names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, dates of service, and diagnoses.
Seven Counties Services is currently investigating further access controls to better secure accounts, and employee education has been enhanced regarding phishing and spoofing. Banners to emails had already been implemented to alert employees about emails from external sources. The investigation and file review are ongoing, and the HHS’ Office for Civil Rights has been provided with an interim total of 501 affected individuals. The total will be updated when the investigation and file review are concluded.
Rim Country Health and Rehabilitation, Arizona
Rim Country Health and Rehabilitation in Arizona has experienced a breach of its email environment that has affected 721 patients. Unauthorized access was detected by the IT department on July 16, 2024, and immediate action was taken to secure the accounts. The review confirmed patient names, contact information, and medical records. had been exposed. In response to the breach, security measures have been enhanced, further training has been provided to the workforce, and its IT infrastructure is being improved.
