HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health

University of Minnesota Physicians has suffered a phishing attack that gave the attackers access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time.

Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty.

A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had their Social Security number exposed.

Notification letters started to be sent to affected individuals on March 30, 2020, even though the investigation was still ongoing. That investigation has now been completed. The delay was due to the painstaking and lengthy process involved in identifying the relevant data.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

University of Minnesota Physicians said that at the time of the breach, multiple email security controls were in place including multi-factor authentication, regular training was being provided to employees on privacy and security, and phishing simulations were being conducted.

Additional technology has now been implemented to further improve security and refresher security training has been provided to employees. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services through Kroll.

The March 30, 2020 entry on the Office for Civil Rights breach portal indicates 683 individuals have been affected at the time of writing.

McLeod Health Discovers Email Account Breach

South Carolina-based Mcleod Health has discovered the email account of an employee has been accessed by unauthorized individual. Suspicious email account activity was detected on June 23, 2020 and the email account was immediately secured.

A comprehensive forensic review was conducted to determine the nature and scope of the breach, which revealed the email account was breached between April 13, 2020 and April 16, 2020. On August 19, 2020, McLeod Health determined the content of the email account had been downloaded by the attacker in April.

McLeod Health is in the process of conducting a review of the impacted email account to determine what information has been obtained by the attacker and which patients have been affected. Notifications will be mailed to affected patients when the review is completed.

McLeod Health had previously implemented multi-factor authentication to prevent compromised credentials from being used to gain access to email accounts; however, some internal settings had prevented it from being implemented on some devices. That issue is now being addressed and additional security awareness training is being provided to employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.