HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Account Breaches Reported by Newman Regional Health and Contra Costa County

Newman Regional Health (NRH), which operates a 25-bed critical access hospital in Emporia, KS, has recently started notifying 52,224 patients that unauthorized individuals have gained access to certain employee email accounts that contained protected health information.

NRH explained on its website that a limited number of employee email accounts were accessed by unauthorized individuals over a period of 10 months in 2021 between January 26, 2021, and November 23, 2021. When the security breach was identified, prompt action was taken to secure the accounts and an investigation was launched to determine the extent and nature of the breach.

NRH said a review of the emails in the compromised accounts confirmed on March 14, 2022, that the following types of patient information had been exposed: Names, dates of birth, medical record/ID numbers, addresses, phone numbers, e-mail addresses, and limited heath, treatment or insurance information, and for employees, information collected in connection with an individual’s receipt of services from or employment with NRH. A subset of individuals also had their Social Security number or financial information exposed.

The types of information exposed varied from individual to individual, and no evidence of fraudulent activity as a result of the breach has been identified at the time of issuing notification letters.  NRH said it has implemented additional measures to enhance security.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Contra Costa County Reports Email Account Security Incident

Contra Costa County in California has announced a breach of employee email accounts and the exposure of sensitive personal information. The forensic investigation of the breach revealed employee email accounts had been accessed by unauthorized individuals between June 24, 2021, and Aug. 12, 2021.

According to the substitute breach notice on the Contra Costa County website, the email accounts contained information on employees and individuals who had previously contacted the County’s Employment and Human Services Department. The types of information exposed included names, Social Security numbers, driver’s license numbers, state-issued I.D. numbers, financial account numbers, passport numbers, medical information, and/or health insurance information.

While unauthorized email account access was confirmed, it was not possible to tell if any emails or attachments in the accounts had been viewed or downloaded. It is unclear when the breach was detected; however, Contra Costa County said the breach investigation concluded on March 11, 2022, and notification letters were sent to affected individuals on April 15, 2022. Complimentary credit monitoring services have been offered to eligible individuals.

The breach has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.