The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice

Posted By on Sep 24, 2021

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information.

Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse.

Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary credit monitoring services through Kroll.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Mercy Grace Private Practice Notifies 4,450 Patients About Data Breach

On August 30, 2021, Mercy Grace Private Practice in Gilbert, AZ notified 4,450 patients about a business email compromise attack in December 2020 involving a fraudulent wire transfer.

A third-party computer forensics firm was engaged to perform a comprehensive analysis of its entire email environment. That investigation confirmed that two employee email accounts had been compromised.

A review of the two email accounts confirmed they contained patient data such as names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and limited health information.  The purpose of the attack appears to have been to defraud the practice rather than obtain patient data. Mercy Grace Private Practice is unaware of any actual or attempted misuse of patient data as a result of the security breach.

In response to the breach, security protocols have been enhanced and further cybersecurity training has been provided to employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist