Goodwin Living and L.A. County Department of Mental Health Suffer Email Breaches
Goodwin Living and the Los Angeles County Department of Mental Health have recently reported breaches of their email environments and the exposure and potential theft of patient data.
Goodwin Living, Virginia
Goodwin House Incorporated, which does business as Goodwin Living and provides hospice care, home health, and rehab services, has discovered unauthorized access to an employee email account. The forensic investigation confirmed unauthorized access to the account from October 2, 2023, to October 18, 2023. Following the investigation, the compromised account was manually reviewed to identify the individuals affected and the types of data involved, and that process was completed on July 30, 2024. The review confirmed that the account contained the protected health information of 7,170 patients, which an unauthorized third party may have viewed or acquired.
The information involved varied from individual to individual and included first and last names combined with addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, military identification numbers, medical record numbers, patient/resident identification numbers, Medicare/Medicaid numbers, diagnoses, treatment information, prescriptions, provider names, and health insurance information.
Goodwin Living worked with third-party cybersecurity experts and implemented additional safeguards such as enhancements to security awareness training and updated its cybersecurity policies, procedures, and protocols.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Los Angeles County Department of Mental Health
Los Angeles County Department of Mental Health has discovered a breach of its email environment. The Department of Health explained in its September 4, 2024, breach notification letter that the attack occurred on May 28, 2024, and involved unauthorized access to three employee Microsoft 365 accounts. The accounts were compromised as a result of employees responding to phishing emails that impersonated a trusted business partner.
The investigation confirmed that unauthorized individuals accessed the business partner’s email server, which was used to send multiple phishing emails to the Department’s employees. The review of the email account confirmed that the protected health information of patients had been exposed and may have been copied. That information included names, addresses, dates of birth, Social Security numbers, medical/health information, health insurance information, and financial account numbers.
The accounts were immediately disabled when the breach was detected, and password and multifactor authentication credentials were reset. The review of the accounts was completed on July 15, 2024, then contact information was verified to allow notification letters to be mailed. The Department of Mental Health is unaware of any misuse of patient data. Patients have been advised to monitor their accounts for suspicious activity.
Los Angeles County Department of Mental Health has reported four data breaches in the past year: two email breaches in December 2023 and March 2024 affecting a total of 2,692 individuals and two network server hacking incidents were reported in May 2024 (1,598 individuals) and September 2024 (2,334 individuals).
