HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Account Breaches Reported by Meharry Medical College and MEDNAX Services

Meharry Medical College in Nashville, TN, has discovered an email account breach may have resulted in unauthorized individuals viewing or acquiring the protected health information of up to 20,963 patients.

The email account breach was detected and blocked around July 28, 2020. Third-party technical experts were engaged to investigate the breach and confirmed that the incident was limited to a single email account. On September 1, 2020, Meharry Medical College was informed that the nature of the breach meant it was possible that the contents of the email account may have been copied, most likely inadvertently during the standard email synchronization process.

A review of the content of the email account was performed and it was determined the email account contained patients’ full names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information. A limited number of patients also had their Social Security numbers, Medicare/Medicaid numbers, and health insurance information compromised.

Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft protection services.

Please see the HIPAA Journal Privacy Policy

PHI Potentially Compromised in Phishing Attack on MEDNAX Services Inc.

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, discovered on June 19, 2020 that unauthorized individuals had gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails.

Assisted by a national forensic firm, MEDNAX determined multiple business email accounts had been compromised between June 17, 2020 and June 22, 2020. A review of the accounts, which were separate from MEDNAX’s internal network and systems, revealed they contained patient names, guarantor names, email addresses, addresses, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, financial account information, health insurance information, Medicare/Medicaid numbers, medical and treatment information, and billing and claims information. It was not possible to determine what patient information, if any, was accessed by unauthorized individuals.

Affected individuals have been offered a complimentary 12-month membership to identity monitoring services. MEDNAX has conducted a review of its security controls and steps will be taken to enhance security to prevent similar breaches in the future.

Update: The breach report submitted to the HHS’ Office for Civil Rights shows 1,290,670 individuals were affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.