HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed

The Tacoma, WA-based MultiCare Health System has announced that the email account of one of its employees has been compromised by a hacker following a successful phishing attack.

The five-hospital health system issued a statement yesterday about the email security breach confirming patients’ protected health information had been compromised. It is unclear when access to the email account was first gained, although the email security breach was discovered by MultiCare Health on November 27, 2016.

An investigation into the breach was immediately launched and rapid action was taken to secure the health system’s email accounts, including resetting passwords on all email accounts. However, the investigation revealed that only one email account had been compromised.

An analysis of the email account revealed that emails contained the ePHI of 1,200 former and current patients. Data potentially accessed by the attacker included patients’ names, addresses, dates of birth, genders, dates of service, account balances, and diagnosis and treatment information. MultiCare has confirmed that the compromised email account contained no Social Security numbers or financial information.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Patients are in the process of being notified of the security breach by mail and have been advised to check their Explanation of Benefits statements and to report any irregularities. To date, MultiCare has not received any reports of misuse of patients’ information.

Phishing attacks on healthcare organizations are to be expected. It is therefore essential for healthcare organizations to make employees aware of the risk of phishing and how to identify potential phishing attacks. Phishing simulation exercises are highly effective at reinforcing training and can greatly improve detection of phishing emails. Healthcare organizations should also set up a system of reporting potential phishing emails. Fast detection can help to prevent other employees from falling for the scams.

To counter the threat and prevent similar incidents from occurring in the future, MultiCare Health is reinforcing the education and training of its employees and will be providing staff members with additional training on phishing email detection. A review of security practices and procedures and ePHI safeguards has also been scheduled.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.