Email Account Breaches Reported by Kansas & West Virginia Medical Centers
Heartland Community Health Center in Kansas and Charleston Area Medical Center in West Virginia have identified unauthorized access to employee email accounts that contained patient data.
Heartland Community Health Center
Heartland Community Health Center in Lawrence, Kansas, identified unauthorized access to an employee’s email account on October 1, 2024. The forensic investigation confirmed that the breach was limited to a single email account and no other systems were affected. The file review confirmed that the email account contained electronic protected health information such as names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license/state ID numbers, dates of birth, medical diagnosis/treatment information, prescription information, dates of service, patient ID numbers, provider names, medical record numbers, Medicare/Medicaid numbers, health insurance information, health insurance claim numbers, health insurance policy numbers, and/or treatment cost information.
Heartland Community Health Center added a substitute breach notice to its website on November 27, 2024, and said the investigation into the incident is ongoing, passwords have been reset, email security policies and procedures are being reviewed, and complimentary credit monitoring and identity theft protection services will be offered to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
Charleston Area Medical Center
Charleston Area Medical Center in West Virginia has discovered a small number of employees were targeted in a phishing attack. The unauthorized access was blocked, and a third-party cybersecurity company was engaged to conduct forensic analysis, which confirmed that an unauthorized third party gained access to a single email account between October 2, and October 3, 2024. No other systems were accessed; however, the email account contained patients’ protected health information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The data involved varied from individual to individual and may have included first and last names, dates of birth, email addresses, phone numbers, Social Security numbers, driver’s license numbers, health information, and health insurance information. Additional technical security measures have been implemented, and additional cybersecurity training is being provided to the workforce. The substitute breach notice does not mention credit monitoring or identity theft protection services. The affected individuals have been advised to monitor their medical account statements and to report any misuse of their data.
The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
