HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information.

Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse.

Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary credit monitoring services through Kroll.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Mercy Grace Private Practice Notifies 4,450 Patients About Data Breach

On August 30, 2021, Mercy Grace Private Practice in Gilbert, AZ notified 4,450 patients about a business email compromise attack in December 2020 involving a fraudulent wire transfer.

A third-party computer forensics firm was engaged to perform a comprehensive analysis of its entire email environment. That investigation confirmed that two employee email accounts had been compromised.

A review of the two email accounts confirmed they contained patient data such as names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and limited health information.  The purpose of the attack appears to have been to defraud the practice rather than obtain patient data. Mercy Grace Private Practice is unaware of any actual or attempted misuse of patient data as a result of the security breach.

In response to the breach, security protocols have been enhanced and further cybersecurity training has been provided to employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.