Email Account Breaches Reported by Prestera Center and Wisconsin Institute of Urology

Prestera Mental Health Center in West Virginia has started notifying 2,152 individuals about a security breach involving employee email accounts. On or around April 1, 2021, Prestera Center learned that certain employee email accounts had been subjected to unauthorized access between August 2020 and September 2020.

While it was possible to confirm that there had been unauthorized access, it was not possible to tell whether any patient data had been viewed or acquired.

A review was conducted to determine the types of information that were present in the email accounts and which individuals had been affected. The types of data in the account varied from individual to individual and may have included names, addresses, dates of birth, state identification card numbers, Social Security numbers, financial account information, medical information, and health insurance information.

Upon discovery of the breach, prompt action was taken to secure the accounts to prevent any further unauthorized access. Policies and procedures have since been reviewed and updated, and additional safeguards have been implemented to improve email security.

Notification letters have been sent to affected individuals and a complimentary membership to the TransUnion Interactive MyTrueIdentity credit monitoring service has been offered.

This is the second email account breach to have been reported in the past few months. On December 31, 2020, Prestera Center reported an email account breach involving patient names, dates of birth, medical record and/or patient account numbers, diagnostic information, healthcare provider information, prescription and/or treatment information and, in some instances, addresses, social security numbers and Medicare/Medicaid ID numbers. It is unclear if these two incidents are related.

Wisconsin Institute of Urology Says PHI Potentially Compromised in Email Security Incident

Wisconsin Institute of Urology (WIU) has discovered the email account of an employee has been accessed by an unauthorized individual. WIU was alerted to the breach on or around May 26, 2021 when suspicious activity was detected in the email account. The account was immediately secured by changing the password and an investigation was launched to determine the nature and extent of the breach.

It was confirmed on June 9, 2021 that an unauthorized individual had used the employee’s credentials to access the account; however, no reports have been received about any cases of misuse of patient data.

A time intensive review was conducted to identify all individuals whose protected health information was contained in emails and email attachments. That review revealed the email account contained PHI such as names, dates of birth, medical treatment and/or medical diagnosis information, health insurance information and, for a limited number of individuals, Social Security numbers.

The breach report submitted to the HHS’ Office for Civil Rights indicates 4,819 patients were affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.