Email Account Breaches Reported by Allaire Healthcare Group and Platinum Hospitalists

Allaire Healthcare Group and Platinum Hospitalists have recently announced that an unauthorized individual has gained access to an employee email account and potentially viewed or copied patient data.

PHI Potentially Compromised in Email Account Breach at Allaire Healthcare Group

Freehold, NJ-based Allaire Healthcare Group, which runs five residential healthcare facilities in the tri-state area that provide subacute care, dementia care, and respite care, has discovered an unauthorized individual has gained access to the email account of one of its employees. Suspicious activity was detected in the employee’s email account on November 24, 2021. Prompt action was taken to secure the account and its email system and to prevent further unauthorized access.

The forensic investigation confirmed the breach was limited to a single email account that was accessed by an unauthorized individual between November 10, 2021, and November 24, 2021. A programmatic and manual review of the affected email account was completed on March 18, 2022. The review confirmed the email account contained the protected health information of 13,148 individuals, including first and last names, Social Security numbers, Allaire-issued unique client identifier numbers, driver’s license numbers, passport numbers, financial account numbers, payment card information, information regarding medical histories, treatment/diagnosis information, prescription information, and/or health insurance information.

The forensic investigation found no evidence to suggest any of that information was viewed or downloaded, and no reports have been received of any instances of actual or attempted misuse of the data.

Platinum Hospitalists Discovers Phishing Attack and Data Breach

Platinum Hospitalists has recently started notifying 6,000 patients that some of their protected health information has potentially been compromised. On March 29, 2022, Platinum Hospitalists discovered an email account had been accessed by an unauthorized individual. The investigation confirmed that the employee’s credentials were stolen following a response to a phishing email. The breach was limited to a single email account, with the review of the account confirming it contained individually identifiable protected health information.

Platinum Hospitalists said patient data is encrypted when it is sent externally, including via email, but the nature of the attack meant the information in the account could have been viewed and downloaded in a readable form. The investigation has been unable to confirm the specific information that was compromised, but the following types of information were present in the email account: patient names, dates of birth, dates of service, diagnosis and procedure codes, medical record numbers/patient account numbers, insurance identification numbers, and invoiced amounts. No addresses or Social Security numbers were exposed.

The data mostly related to patients who were insured through Humana and received medical services from Platinum providers at acute hospitals and other medical facilities in the Las Vegas area between approximately October 2018 and March 2022.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.